Skip to content

MicroCTF 2016 Writeup

This is a write-up of some challenges in Micro CTF. Micro CTF was held by Amazon during 44CON 2016.

bad memories 100
The binary asks you to enter a passcode to unlock the free canaries. By analysing the code using IDA Pro you can see that it is a very classic stack based overflow. All you need to do is to overflow the stack buffer and then overwrite the return address to the function that prints the flag. We don’t even need to get a shell. The following code was my solution to the challenge

Bad memories 200
The binary was again receiving some input from the user and storing it on a buffer on the stack. The binary was also vulnerable to very classical stack overflow vulnerability. The only difference that there was a static canary that is hardcoded into the function. When the function returns it checks if that canary was overwritten or not. If it was overwritten it never returns and calls exit(). To exploit this, we need to overflow the stack buffer but keep the canary as it is. The static value was “0xdeadb01d”. We also need to overwrite the return address with the function that prints the flag. The final exploit is shown below:

Bad memories 300
The third binary was vulnerable to string format vulnerability. The binary basically received an input from the user, calculated the md5 of that input and then printed both the user input and the md5 hex digest. The exploitation was very simple. All we need to do is to overwrite one of the value in the GOT table to take control over the application. The following exploit overwrites the GOT entry of the fflush()  function with the printflag one.

Silicon and wires 100 and 500
I think these challenges were scrwed a little bit because I used the same technique to solve both challenges (which usually should not be the case)

I used the following script to decode the content of the files

after that I run strings on the decoded files and the flags were
Silicon and Wires 100: UP AND ATOM
Silicon and Wires 500: the secret is: YOU’VE GOT IT NOW

Another way to decode the binaries (thanks to Dan) is to use the following command

Network 100

This one was quite straight forward. The challenge says there is a load balancer on top of a website and the flag is at http://localhost:8080/ (as far as I remember the challenges are down now). They have given us a hint that basically some load balancers act as proxies. From the hint, all we need to do to get the flag is to intercept the GET request that is going to the root page “/” and basically modify the path in the request to “http://localhost:8080/”. Because the loadbalancer acts as a proxy it will fetch the content of the localhost and will return it to us which will contain the flag.

Network 200
The name of the challenge was HVAC. The challenge statement said that there is an authentication system listening on port 4321. The goal of the challenge is to manage to authenticate ourselves to this system.

When we netcat to the system, it echoes the time in seconds. From the name of the challenge HVAC (kind of HMAC!!) and the challenge description we see that we probably need to HMAC the time we receive from the server with some secret value to be able to successfully login to the server. The same server has an almost empty web application on http://52.10.230.116:4080/
We run dirbuster on http://52.10.230.116:4080/ and we managed to find a .git directory. We downloaded the .git directory and then did “git log” to see the commits.  we reverted back to the first comment and managed to find the key used for HMACing in a file named key.txt

Using the following script I was apple to HMAC the challenge returned from the server and authenticate successfully.

 

That was a quick write-up for most of the challenges I can remember. I hope you find it somehow useful. Feel free to comment if you there is something that was not very clear.

Enjoy!

Published inwriteups

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 1 =