This commit is contained in:
Michael Barre 2017-03-12 04:38:22 -05:00
commit f37d91600f
25 changed files with 270 additions and 26 deletions

View file

@ -1,4 +1,4 @@
def grade(autogen, answer): def grade(autogen, answer):
if answer == ("421049228295820"): if answer == ("906730649345"):
return True, "Correct!" return True, "Correct!"
return False, "Nope, try again." return False, "Nope, try again."

View file

@ -1,3 +1,4 @@
g^a mod p = 421049228295820 g^a mod p = 791868216278
g^b mod p = 105262307073955 g^b mod p = 722955066776
p=442101689710611
p = 986314922069

View file

@ -1,9 +1,9 @@
title: Diffie-cult title: Diffie-cult
author: nicebowlofsoup author: arxenix
hint: Wikipedia explains Diffie-hellman pretty well. There is a also a very easy way to do this. hint: Wikipedia explains Diffie-hellman pretty well.
category: Cryptography category: Cryptography
autogen: false autogen: false
programming: false programming: false
value: 50 value: 140
files: files:
- messages.txt - messages.txt

View file

@ -0,0 +1 @@
There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server /problems/ directory.

View file

@ -1,6 +1,8 @@
//compile with: //compile with:
//gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous //gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous
//sol: input "A"*40+"\x00\x80\x34\x41"
#define _GNU_SOURCE #define _GNU_SOURCE
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>

View file

@ -0,0 +1,4 @@
def grade(random, key):
if key.find("bofs_and_floats_are_d0uble_tr0uble!") != -1:
return True, "Correct!"
return False, "Nope :("

View file

@ -4,6 +4,6 @@ hint: How are floating-point numbers represented?
category: Binary Exploitation category: Binary Exploitation
autogen: false autogen: false
programming: false programming: false
value: 75 value: 110
files: files:
- doubly_dangerous - doubly_dangerous

View file

@ -1 +0,0 @@
This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](easy_re)

Binary file not shown.

View file

@ -1,4 +0,0 @@
def grade(autogen, key):
if key.find("1f_0nly_4ll_r3_w4s_34sy") != -1:
return True, "Correct!"
return False, "Nope!"

View file

@ -1,9 +0,0 @@
author: GenericNickname
title: Easy RE
hint: There's only one place the flag could be.
category: Reverse Engineering
autogen: false
programming: false
value: 25
files:
- easy-re

84
hexable-autogen/char.inc Normal file
View file

@ -0,0 +1,84 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Character defines
NULL equ 0x00
BELL equ 0x07
BSPC equ 0x08
TAB equ 0x09
ENDL equ 0x0A
CRET equ 0x0D
CHAR_0 equ 0x30
CHAR_1 equ 0x31
CHAR_2 equ 0x32
CHAR_3 equ 0x33
CHAR_4 equ 0x34
CHAR_5 equ 0x35
CHAR_6 equ 0x36
CHAR_7 equ 0x37
CHAR_8 equ 0x38
CHAR_9 equ 0x39
CHAR_A equ 0x41
CHAR_B equ 0x42
CHAR_C equ 0x43
CHAR_D equ 0x44
CHAR_E equ 0x45
CHAR_F equ 0x46
CHAR_G equ 0x47
CHAR_H equ 0x48
CHAR_I equ 0x49
CHAR_J equ 0x4a
CHAR_K equ 0x4b
CHAR_L equ 0x4c
CHAR_M equ 0x4d
CHAR_N equ 0x4e
CHAR_O equ 0x4f
CHAR_P equ 0x50
CHAR_Q equ 0x51
CHAR_R equ 0x52
CHAR_S equ 0x53
CHAR_T equ 0x54
CHAR_U equ 0x55
CHAR_V equ 0x56
CHAR_W equ 0x57
CHAR_X equ 0x58
CHAR_Y equ 0x59
CHAR_Z equ 0x5a
CHAR_a equ 0x61
CHAR_b equ 0x62
CHAR_c equ 0x63
CHAR_d equ 0x64
CHAR_e equ 0x65
CHAR_f equ 0x66
CHAR_g equ 0x67
CHAR_h equ 0x68
CHAR_i equ 0x69
CHAR_j equ 0x6a
CHAR_k equ 0x6b
CHAR_l equ 0x6c
CHAR_m equ 0x6d
CHAR_n equ 0x6e
CHAR_o equ 0x6f
CHAR_p equ 0x70
CHAR_q equ 0x71
CHAR_r equ 0x72
CHAR_s equ 0x73
CHAR_t equ 0x74
CHAR_u equ 0x75
CHAR_v equ 0x76
CHAR_w equ 0x77
CHAR_x equ 0x78
CHAR_y equ 0x79
CHAR_z equ 0x7a
;;;;;;;;;;;;;;;;;;;;;;;;;;;
macro resv c_size
{
db c_size dup (0)
}
macro resv_stuff c_size
{
repeat c_size
db % and 0xff
end repeat
}

View file

@ -0,0 +1,2 @@
I tried to hide a flag sneakily, can you find it?
[Download](${hexable})

45
hexable-autogen/elf.inc Normal file
View file

@ -0,0 +1,45 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; ELF header for stuff
RLIMIT_AS equ 0x09
macro reserve name,size
{
name db 0
repeat size-1
db 0
end repeat
}
macro print message
{
mov eax, message
@@:
cmp byte [eax], 0
jz @f
inc eax
jmp @b
@@:
mov edx, eax
sub edx, message
mov eax, 4
mov ebx, 1
mov ecx, message
int 0x80
}
macro read out_buff, cnt
{
mov ebx, 0
mov eax, 3
mov ecx, out_buff
mov edx, cnt
int 0x80
}
macro exit exitcode
{
mov ebx, exitcode
mov eax, 1
int 0x80
}

22
hexable-autogen/grader.py Normal file
View file

@ -0,0 +1,22 @@
from cStringIO import StringIO
def gen_flag(random, length):
x = ''
for i in range(0, length):
x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
return x
def grade(random, key):
if key.find(gen_flag(random, 14)) != -1:
return True, "Correct!"
return False, "Nope."
def generate(random):
dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
output = bytearray(dat[:0xdb])
flag = gen_flag(random, 14)
output.extend(flag.encode('utf-8'))
output.extend(dat[0xdb + 14:])
return dict(files={"hexable": (lambda r: StringIO(output))})

BIN
hexable-autogen/hexable Normal file

Binary file not shown.

View file

@ -0,0 +1,35 @@
format ELF executable 3
entry start
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Buffer macros
BUFF_SIZE equ 32
;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Includes of macros
include 'elf.inc'
include 'char.inc'
;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code
segment executable writeable readable
put:
print ecx
ret
start:
mov ecx, msg
call put
exit 0
reserve no_code,20
;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Data
segment readable writeable
msg db 'Can you find the flag?',ENDL,0
flag db 'easyctf{abcdef__123456}'
reserve temp,1
;;;;;;;;;;;;;;;;;;;;;;;;;;;

View file

@ -0,0 +1,6 @@
title: Hexable
category: Reverse Engineering
value: 25
author: r3ndom
autogen: true
hint: Try using a hex editor.

View file

@ -0,0 +1,19 @@
import random
dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
def gen_flag(length):
x = ''
for i in range(0,length):
x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
return x
output = bytearray(dat[:0xdb])
flag = gen_flag(14)
output.extend(flag.encode('utf-8'))
output.extend(dat[0xdb+14:])
print(output)
#o = open(flag, 'wb')
#o.write(output)
#o.close()

32
hexable-autogen/std.inc Normal file
View file

@ -0,0 +1,32 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Standard Includes of my
; code
include 'char.inc'
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; File descriptor macros
STDIN equ 0
STDOUT equ 1
STDERR equ 2
;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Standard prologue of a function
macro prologue
{
push ebp
mov ebp, esp
}
; Standard epilogue of a function
macro epilogue
{
mov esp, ebp
pop ebp
}
; Allocates space on the stack for something
macro local_alloc size
{
sub esp,size
}

View file

@ -3,5 +3,6 @@ category: Reverse Engineering
value: 450 value: 450
author: r3ndom author: r3ndom
autogen: false autogen: false
hint: Maybe write a script.
files: files:
- _67k.zip - _67k.zip

View file

@ -1 +1,3 @@
We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](casino) (MZ SHELL SERVER THING) We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](${casino})
Solve this problem by logging into the shell server and navigating to `/problems`.

View file

@ -39,7 +39,7 @@ def generate_ciphertext(random):
def generate(random): def generate(random):
return dict(files={ return dict(files={
"ciphertext_rsa1.txt": generate_ciphertext "ciphertext.txt": generate_ciphertext
}) })
def grade(random, key): def grade(random, key):

View file

@ -38,7 +38,7 @@ def generate_ciphertext(random):
def generate(random): def generate(random):
return dict(files={ return dict(files={
"ciphertext_rsa2.txt": generate_ciphertext "ciphertext.txt": generate_ciphertext
}) })
def grade(random, key): def grade(random, key):

View file

@ -1,3 +1,5 @@
On the shell there is a folder `<insert location>`. On the shell there is a folder `<insert location>`.
Read flag.txt Read flag.txt
[Source](${simple-rop.c}) [Source](${simple-rop.c})