team pong

We participated in RuCTF 2012 with about 8 team members. It was our first Attack/Defense style CTF and we liked it….sort of. Let’s say we were learning every second and trying to keep up and get our network and tooling ready during the CTF instead of before the CTF. 🙂

What did we learn:

• Prepare, prepare and prepare;
• Make sure you have enough people: 1 teamlead, 2 defense, 1 system management, one for each challenge at least;
• Create an automated attack framework that works in advance to launch your attacks against 50-100 opponents 9 services every 5 minutes. You do not want to manually perform 450-900 attacks each minute excluding posting flags afterwards;
• The teamlead should allocate the appropriate tasks to each team member and stick to it.

We managed to get to 7th place in the Final2 group but were done at around 01:30. We pulled the plug on our network and called it a quits. We ended up 15th as a result, not bad for a first timer.

Thanks to the RuCTF team for setting this thing up, great work. Until next year!

We will be participating in the RuCTFE 2012 online CTF. This time it is a Attack/Defense style CTF. A first for most of our team members and we are looking forward to it. On the other hand Attack/Defense style CTF’s are won through good preparation…..oooops…..maybe we need to start preparing then :).

To all teams, have a good one!

Some of our guys broke into the Reduced Security Agency and stole the source of their highly secure login system. Unfortunately no one of them made it uninfected back and so we only have a part of the source. Now it's your turn to break their system and login to the agency.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 /**
 * Copyright: ErEsAh Securse-ID Token
 **/

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <gmp.h>

unsigned int
gen_auth(mpz_t key, mpz_t modulus, mpz_t nonce)
{
	time_t now = time(NULL);
	unsigned int range = now / 3600;
	unsigned int token;

	mpz_t t;
	mpz_init(t);

	mpz_set_ui(t, range);
 
	mpz_t auth;
	mpz_init(auth);
	
	mpz_add(t, t, nonce);
    mpz_t newmod;
    mpz_init(newmod);
    mpz_set_ui(newmod, 13371337);
	mpz_powm(auth, t, key, newmod);
	token = mpz_get_ui(auth);

	return token;
}

void
chartompz(mpz_t result, char *msgptr)
{
	unsigned int size = strlen(msgptr);
	mpz_t msg;
	mpz_t tmp;
	mpz_init(tmp);
	mpz_init(msg);
	int i;

    printf("strlen = %d\n", size);
	for (i = 0; i < size; i++) {
		mpz_set_ui(tmp, (int)msgptr[i]);
		mpz_mul_2exp(tmp, tmp, 8*i);
		mpz_add(msg, msg, tmp);
	}

	mpz_set(result, msg);
}

char *
mpztochar(mpz_t code)
{
	int i, j;
    mpz_t tmp2;
    mpz_t and255;
    mpz_init(tmp2);
    mpz_init(and255);
    mpz_set_ui(and255, 255);
    int length = mpz_sizeinbase(code, 2);
    length = (length / 8) + 1;
	
	char *text;
	text = malloc((length)*sizeof(char));
	if (!text) {
		return NULL;
	}

    unsigned int tmp3;

    for(i = 0; i < length; i++) {
        mpz_set(tmp2, code);
        mpz_cdiv_q_2exp(tmp2, tmp2, i*7);

        for (j = 0; j < i; j++) {
            mpz_div_ui(tmp2, tmp2, 2);
        }

        mpz_and(tmp2, tmp2, and255);
        tmp3 = mpz_get_ui(tmp2);
        text[i] = (char) tmp3;
    }
	text[length] = '\0';
	return text;
}

void
gen_pubkey(mpz_t result, mpz_t key, mpz_t modulus)
{
    mpz_t pubkey;
    mpz_init(pubkey);
    mpz_invert(pubkey, key, modulus);
	mpz_set(result, pubkey);
}

int
gen_seckey(mpz_t result)
{
	mpz_t key;
	int i = 0, j;
	unsigned int seed, random;
	FILE *frand;
	mpz_init2(key, 2048);

	gmp_randstate_t state;
	gmp_randinit_default(state);
	frand = fopen("/dev/random", "r");
	if (frand == NULL) {
		printf("fopen() failed\n");
		return -1;
	}
	
	fread(&seed, sizeof(seed), 1, frand);
	fclose(frand);
	gmp_randseed_ui(state, seed);

	j = 2047;
	while(i != j) {
		random = gmp_urandomb_ui(state, 1);
		if(random) {
			mpz_setbit(key, i);
			i++;
		}
		else if(!random) {
			mpz_clrbit(key, j);
			j--;
		}
	}

	mpz_set(result, key);
	return 0;
}

void
encrypt(mpz_t result, mpz_t base, mpz_t key, mpz_t modulus)
{
	mpz_t msg;
	mpz_init(msg);

    mpz_t ciphertext;
    mpz_init(ciphertext);

    printf("encrypting...\n");
    mpz_powm(ciphertext, base, key, modulus);

	mpz_set(result, ciphertext);
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Studying this code we find a couple of for very strange facts:
– gen_seckey always produces keys with of the form 00…0011…11
– gen_auth uses 13371337 as modulus

In an RSA based system the only number which may be chosen completely random is the decryption exponent d. Thus it seems likely that gen_seckey is used to calculate d. We try all different variants of pow(2,x)-1 to find d=2^1024-1

The token needen for authentication is generated by pow(time()/3600+nonce , d) mod 13371337. Given that we have just found d, we can connect to the ssh server and calculate the token needed to log in.

The challenge:

You are surrounded by zombies. You heard there's a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there's another surviver over there. "Hey! Help me!", you shout. He just laughs and shakes you off the fence. Asshole. 

Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh... karma is a bitch. But that means you'll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck. Better try this one:

https://ctf.fluxfingers.net/challenges/python_jail/chal.py 
ctf.fluxfingers.net tcp/2045 

Hint: You'll find the entrance in "./key" Notes: This challenge is a tribute to PHDays Finals 2012 challenge 'ndevice'. Thanks again, I had fun solving it. I'm fairly certain that this challenge avoids being exploitable by the tricks we could use in PHDays (the module "os" was imported...). So, no advantage for people who did not attend PHDays.

The sourcecode:

#!/usr/bin/env python
'''
Running instructions.
 sockets are insecure. We do not implement any socket behaviour in this
 file.
 Please make this file +x and run with socat:
    socat TCP-LISTEN:45454,fork EXEC:./chal.py,pty,stderr

Debugging:
 Just execute chal.py and play on terminal, no need to run socat

Note:
 This challenge is a tribute to PHDays Finals 2012 challenge 'ndevice'.
 Thanks again, I had fun solving it.
 
 I'm fairly certain that this challenge avoids being exploitable by
 the tricks we could use in PHDays (the module "os" was imported...).
 So, no advantage for people who did not attend PHDays.
 

'''

def make_secure():
        UNSAFE_BUILTINS = ['open',
         'file',
         'execfile',
         'compile',
	'reload',
	'__import__',
	'eval',
         'input'] ## block objet?
        for func in UNSAFE_BUILTINS:
                del __builtins__.__dict__[func]

from re import findall
make_secure()


print 'Go Ahead, Expoit me >;D'


while True:
    try:
	inp = findall('\S+', raw_input())[0]
	a = None
	exec 'a=' + inp
	print 'Return Value:', a
    except Exception, e:
	print 'Exception:', e

The python jail removes almost all interesting functions from scope by removing them from the builtins dictionary. However we still have a reference to the findall function in the re module. Using this reference all variables available to the findall function can be reached. Via the sys module we reference the os module to execute system and get the contents of the key file:

findall.__globals__[‘sys’].modules[‘os’].system(“cat<key")