Posts

BugPoC's LFI challenge writeup

Image
This is a write-up for an LFI Challenge by `BugPoC`, Buggy Social Media sharer (social.buggywebsite.com) that popped out on Twitter recently (link)

This is a website for writing a text (post), for which website generates several links to post it in different social media platforms.
As common it supports the URL card generating using API server. Which then leads to SSRF, then to LFI.


Buggy Social Media sharer Given a website : http://social.buggywebsite.com/
The Goal of the challenge is to achieve LFI and steal /etc/passwd
It's a striaght forwarding challenge, by going through the Js, we can see URL card generating functionality
function processUrl(e) { requestTime = Date.now(), url = "https://api.buggywebsite.com/website-preview"; var t = new XMLHttpRequest; t.onreadystatechange = function() { 4 == t.readyState && 200 == t.status ? (response = JSON.parse(t.responseText), populateWebsitePreview(response)) : 4 == t.re…

Tokyo Westerns CTF 2020 - writeups.

Image
[*]-challenges
    [+] (Rev - 126 pts) Reversing iS Amazing
    [+] (Rev - 224 pts) Tamarin

Our Team Invaders ended up at 21th position
in `Tokyo Westerns CTF 2020` conducted by `TokyoWesterns team`.



[Rev] Reversing iS Amazing It is a warmup chall, Given a rsa file, a 64 bit executable.
Decompiled the executable with ghidra. As the binary is dynamically linked, we still have the external library function calls.
BIO_new_mem_buf d2i_PrivateKey_bio EVP_PKEY_get1_RSA RSA_private_encrypt Those are openssl library API calls, by going through the documentation and code.
in the binary it has an EVP key, Cipher text.
The binary is creating a RSA private key from EVP Key , then encrypting our input and checking with cipher text.
Dumped the EVP Key, Cipher text from the binary. Written a decrypting code with same api calls (as we have private key).
$ gcc rsa-reverse.c -o rev -lssl -lcrypto $ ./rev -----BEGIN PRIVATE KEY…

Alles CTF 2020 Writeups

Image
[*]-challenges
    [+] (Rev - 137 pts) Flag Service Revolution
    [+] (Rev - 113 pts) prehistoric mario

Our Team Invaders ended up at 21th position
in `Alles CTF - 2020` conducted by `Alles team`.

The Reverse challs are interesting
First one is Nintendo GameCube file, second one is a Apk game


[Rev] Flag Service Revolution Given a boot.dol file, a Nintendo GameCube file. Opened it with the dolphin-emu. Then searched how we can disassemble the .dol files and found this https://mkwii.com/showthread.php?tid=1193 used ghidra

This is a stripped and statically linked binary, it's hard to trace the functions.
Searched for strings appearing on app -> `Cross References` - `main function FUN_8003d4c4`.

The decompiled code of ghidra is too messy with the stripped func names, var names.
Anyway gone through the code and renamed `variables` and the `functions` based on arguments, codef…