SecOverflow

October 17th, 10pm. Someone on IRC told me they were partaking in a CTF, which I apparently didn’t know was on. The Leetmore (Hackyou) CTF had been running from October 8th, so I had one day to finish it. I decided to see what challenges were avaiable and just have fun. The challenges I did were very easy, RE100 and RE200.

I decided to do a writeup to make up for the lack of content, and while I fix up all my other drafts. Also note, I am trying to find the mirrored files for RE300 so I can finish all of the reverse eningeering challenges, but for now, I only have these two (RE100 and RE200) to write about. Enjoy

RE100 – Open Source

This challenge took a minute or so. Knowledge of C is required. You are given the source code of a program which when given the correct arguements, will compute the keyword for you to submit as the flag. Lets take a look at it:

#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    // we need to provide 3 argv's. the first one (argv[0]) is actually the program name, so we start at argv[1]
    if (argc != 4) {
    	printf("what?\n");
    	exit(1);
    }
 
    // argv[1] gets taken as an int using atoi, and it has to match 0xcafe
    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
    	printf("you are wrong, sorry.\n");
    	exit(2);
    }

    // MATHS  
    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    	printf("ha, you won't get it!\n");
    	exit(3);
    }

    // compare argv[3] with h4cky0u
    if (strcmp("h4cky0u", argv[3])) {
    	printf("so close, dude!\n");
    	exit(4);
    }

    printf("Brr wrrr grr\n");

    // compute our "hash"!
    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    // win?
    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

Read More >>

I had two “free” lesons at school today where I just caught up on some math (yay). Once I’d finished it, I still had another 30 minutes or so, and needed to waste some time. Through natural instinct I just decided to hop on my VPS (prgmr are awesome!) and play around with my “secret project”

I did this for 15 minutes or so because there wasn’t much I could do, since I already had a few updated versions of code on my own box. With 10 minutes remaining, I decided to download me a nice and easy Linux crackmes, something that would take 5 minutes or less. CrackMes.de was unblocked on my school’s network… hehehe.

ANYWAY, enough with the intro, and let’s get to the baby crackmes. mycrk… a newbie crackme to do with 5 minutes, just to waste time. The crackme is by “cli3nt” so props to him. Aight, we download it, load it up in ~/Files/CrackMes and get to work.

Ok, great, now, first things are first; file, strings and readelf.

curi0us@n0plord:~/Files/CrackMes$ file mycrk
mycrk: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.0.0, not stripped
curi0us@n0plord:~/Files/CrackMes$ strings mycrk
/lib/ld-linux.so.2
_Jv_RegisterClasses
__gmon_start__
libc.so.6
printf
scanf
_IO_stdin_used
__libc_start_main
GLIBC_2.0
PTRh
Type cd-key:
wrong!
curi0us@n0plord:~/Files/CrackMes$ readelf -h mycrk
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x8048300
  Start of program headers:          52 (bytes into file)
  Start of section headers:          6936 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         7
  Size of section headers:           40 (bytes)
  Number of section headers:         33
  Section header string table index: 30

Read More >>

Hello. Before I start, lemme say that this is just a small informative blog post, and that I *am* working on actual posts which you should all love

Anyway… some of you may be aware of the GNU project, Hurd. What is it? Well, the GNU project say that it is a replacement for UNIX.

There is no stable version for Hurd, so to run it you will need to download the gzip un-stable release from Git and QEMU to be able to run it. You can download it from here http://people.debian.org/~sthibault/hurd-i386/debian-hurd.img.tar.gz. The download is 254MB compressed.

You will also need QEMU, although some distros may already have it. If not, do an apt-get, or download it and compile the code. QEMU is available from http://wiki.qemu.org/Download. Once you’ve got Hurd downloaded, extracted, and QEMU installed, it’s time to run it.

$ qemu -m 512 -net nic,model=rtl8139 -net user -drive cache=writeback,index=0,media=disk,file=$(echo debian-hurd-*.img)

Sweet, once you got that, and if QEMU has been installed correctly, you should have Hurd load and boot.

Hurd booting in QEMU

Read More >>

Hello!
The blog hasn’t been too active since I’ve been busy coding and finishing other real life stuff, although my finals are over. Anyway, as a first “new” post, insted of finishing the wargame ones or putting up some code and my other usual stuff, I decided to update on my new Raspberry Pi, Model B, which I have been waiting for, forever!

I forgot to buy an SD card, so I haven’t booted it up yet (I’m an idiot), but I have ideas on what to code, and what to build with it, especially since I am taking part in the Raspberry Pi Summer Coding Competition. Well, here it is:

HELLO

Read More >>

Whilst studying, I’ve also been taking “breaks” – playing wargames, like Semtex, which is an “easy” wargame, didn’t tire me out too much one afternoon to play parts of it and do a writeup . Ok, so, without any intro (apart from the one your reading now) lets jump to it…

::0x Semtex 0::

Time to bust in some more C
We are required to, depending on the binary we want, connect to a port on the Semtex server, listen for the bytes it sends us, trash every second byte, and compile the valid bytes as a binary file. It “sounds” complicated, but it isn’t.

Since I want a x86/elf binary, I will connect to port 24000, but feel free to change the code.
Anyway, here it goes:

/*
 + OverTheWire Semtex Level 0
 + Coded by Matteo
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

// Define TARGET "semtex.labs.overthewire.org"
#define TARGET "141.138.199.118"
#define PORT 24000

int main(int argc, char *argv[]) {
	// Declare our vars
	unsigned char bytes;
	int bytes_02 = 0, sock;
	struct sockaddr_in serv_addr;

	FILE *executable;
	executable = fopen("semtex00", "a+");

	serv_addr.sin_family = AF_INET; 
	serv_addr.sin_addr.s_addr = inet_addr(TARGET);
	serv_addr.sin_port = htons(PORT);

	// Create sockets and bind to server
	if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) 
		perror("Failed to create socket");
	if(connect(sock, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) 
		perror("Failed to connect with server");

	// Main loop - Recieve all bytes and trash every second byte we get
	while((recv(sock, &bytes, sizeof(unsigned char), 0)) > 0) {
		if(bytes_02 % 2 == 0)
			fprintf(executable, "%c", bytes);
		bytes_02++;
	}
	
	fprintf(executable, "[%d]", bytes_02);		
	return 0;
}

Once run, you’ll have a file called semtex00 in your directory. Run it, and boom

curi0us@s0ul:$~# chmod 700 semtex00; ./semtex; echo -e
B#4j%XXc

The echo -e is just to give a ‘\n’.
And that was the first one. Easy.

Read More >>