For this pwnable we’ve got a zip with AppJailLauncher.exe and thing2.exe. This means we get to experience the wonders of ASLR+DEP+Win8.1

challenge download tl;dr ruby solution

Prerequisite Knowledge

• C++ Object Memory Layout (virtual function tables)
• Windows 64bit ABI / Calling Convention
• ASLR, DEP/NX
• ROP
• x64dbg obsoletes ollydbg

The Nov ‘13 CTP is a compiler upgrade that adds a ton of C++11 features that should’ve already been there. Keeping with the spirit of your typical Windows package installer, you might get this cryptic error:

1

Error 0x80070666: Cannot install a product when a newer version is installed.

…when you’ve obviously not installed this. It’s caused by the installer detecting visual studio redistributables as newer versions of itself. Removing all newer-than-nov2013 redistributables fixes the issue. Good job Microsoft!

For this challenge, we’re given an .exe file and a server that it’s running on. Running strings on the binary, we see that there’s a lot of text in the program. It’s all instructions on how to get started with Windows exploitation. One block that is particularly interesting is:

1
2
3
4
5

VULNERABLE FUNCTION
-------------------
Send me exactly 1024 characters (with some constraints).
Password:
GreenhornSecretPassword!!!

This weekend was the NSec CTF competition. I couldn’t fly up to Canada, but the challenges sounded fun and I decided to contribute to an anonymous team.

The NSSA has leaked their authenticator! Our job is to find a password for the agent “Shikishima.” Popping open auth.exe we get a login prompt. Opening it in IDA we immediately see some interesting strings…

This challenge gives a server and a binary. Upon connection, the server asks you to generate two integer keys for a string. The binary we’re given accepts a string and two integer arguments as input, and will tell us if those are valid keys for that string by outputting :-( or *<:-). Near these strings in the binary we see a long string of numbers, and we can see that there are functions with names that indicate there is a virtual machine written in C++(“cpu execute, cpu fillmem, instruction”). We stared at this VM for a while and noticed it’s MIPS — but we didn’t feel like spending the time to analyze what the bytecode is doing.

Thankfully, we only need the two valid keys for our string that this binary checks our input keys against. We followed through the main function until we see a spot where the two valid keys are in memory, and we patched in shellcode to write them to stdout.

notice the CPU destructor above, this is after it executes and retrieves the output from the MIPS code. you can see our shellcode to dump T7/T6 in the second block.

This will pass us the values we need to send to the server, then it’s just a matter of sending them. I lost the python I wrote to do this, but you just needed to pass the desired string(from the server) to the binary, parse the 8 bytes the binary outputs into two unsigned longs, and then send them to the server. Repeat this until it dumps you a key.

For this challenge we’re told an application is running on a server and given a binary that outputs the following:

1
2
3
4

root@kawaii:~/expl400# echo "userinput" | ./miteegashun
Welcome to this demo of my exploit mitigation
This mitigation is unbeatable, prove me wrong
See? Flawless.

Checking for buffer overflow…

1
2
3
4

root@kawaii:~/expl400# perl -E "say 'A'x10000" | ./miteegashun
Welcome to this demo of my exploit mitigation
This mitigation is unbeatable, prove me wrong
Segmentation fault

We’re given a 64-bit ELF file with debug information for this challenge. Opening it up in IDA, we see that it is just a wrapper for embedded Lua. There’s a very simple decryption routine that is run on a “content_2593″ array and this code is run into luaL_loadbuffer. The operators say it was intended to be compiled Lua bytecode which I was initially expecting. I didn’t have a 64-bit Linux VM at the time of the CTF(which would be a very quick solve, just breakpoint where the code is decrypted), so I wrote this C++ implementation of the asm decryption loop:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#include <stdio.h>

unsigned char content[] = {0x26,0x62,0x13,0x3A,0x33,0xC6,0xEF,0xFB,0x87,0x92,0xBD,0x4D,0x6C,0x35,0x1E,0x17,0x36,0x37,0xD8,0xE9,0xF4,0x83,0x94,0x80,0x1F,0x0D,0x60,0x4D,0x54,0x7B,0x8A,0x8F,0xFE,0xE0,0xEB,0xF4,0xF2,0x17,0x2C,0x6A,0x4F,0x4D,0x7B,0x88,0xC6,0xA2,0xDF,0xD9,0xE5,0xF5,0x01,0x28,0x22,0x08,0x3E,0x28,0xDF,0xE8,0xA7,0xD5,0x88,0xF4,0x12,0x1F,0x25,0x2A,0x06,0x33,0x0C,0x82,0xBF,0xB9,0xC5,0xD5,0xE1,0x08,0x02,0x6F,0x57,0x45,0x38,0x70,0x8B,0xBB,0xA2,0x9A,0xB7,0x80,0x1F,0x04,0x6E,0x49,0x52,0x60,0x97,0x84,0xB1,0xEC,0xC2,0xFF,0xE8,0x5A,0x2E,0x2B,0x45,0x51,0x79,0x95,0x94,0xB6,0x97,0x8A,0xE8,0xBF,0x4E,0x69,0x74,0x12,0x6A,0x62,0x93,0x8C,0xC4,0x9A,0x86,0xB2,0x5E,0x1A,0x24,0x2B,0x40,0x6E,0x2E,0xD0,0x89,0xB8,0xD9,0xCC,0xE9,0x5B,0x44,0x7B,0x34,0x0A,0x36,0x22,0xCE,0xA8,0xA3,0xC6,0xEB,0xF8,0x18,0x42,0x7E,0x30,0x43,0x7C,0x9A,0xE0,0xDC,0xB4,0x8E,0xA7,0xA6,0x15,0x54,0x2B,0x5A,0x52,0x66,0x9B,0xC6,0xEF,0x9E,0x88,0xA6,0xB3,0x5C,0x69,0x72,0x07,0x28,0x3D,0xCE,0xDB,0xAF,0xD8,0xC5,0xF6,0x1B,0x0C,0x74,0x48,0x48,0x75,0x74,0xD2,0xB2,0xA5,0xD9,0xD2,0xAE,0x47,0x57,0x7E,0x0D,0x18,0x36,0x66,0x81,0xD0,0xE6,0x92,0xBE,0xAA,0x00,0x42,0x73,0x1A,0x50,0x32,0xD4,0xCA,0xB1,0xC8,0x8E,0xBA,0xA6,0x52,0x28,0x6A,0x0B,0x02,0x78,0xDA,0xC3,0xF2,0xCE,0xA0,0xB6,0xA2,0x4E,0x7A,0x34,0x12,0x23,0x2A,0x80,0xC2,0xEB,0x9A,0x97,0xA4,0x74,0x4A,0x76,0x62,0x0E,0x7D,0x69,0x9D,0xBA,0xEA,0x8B,0x82,0xFD,0x0E,0x14,0x3B,0x50,0x4D,0x38,0x71,0x9B,0xB8,0xEE,0xD3,0xF2,0xFA,0x1E,0x03,0x62,0x48,0x0D,0x23,0xD2,0x98,0xFD,0xF3,0x87,0x90,0xA6,0x52,0x7E,0x6A,0x5F,0x44,0x2E,0x9D,0x89,0xBD,0xDA,0x8A,0xE8,0xBF,0x4E,0x29,0x32,0x40,0x77,0x64,0x91,0xCC,0xBD,0xCF,0xC4,0xBA,0x0E,0x0B,0x25,0x31,0x59,0x75,0x74,0x96,0xF2,0xA6,0xD9,0xCD,0xFE,0x56,0x0A,0x3D,0x51,0x5A,0x3F,0x22,0x9A,0xB2,0xA3,0xDC,0x94,0xAA,0x56,0x42,0x6E,0x1A,0x06,0x32,0xDE,0x9A,0xA4,0xAB,0xC0,0xEE,0xAE,0x50,0x09,0x38,0x59,0x4C,0x69,0xDB,0xC4,0xFB,0xB4,0x8A,0xB6,0xA2,0x4E,0x7A,0x66,0x12,0x3E,0x78,0x93,0x96,0xBB,0xC8,0xC8,0xB2,0x4E,0x60,0x76,0x62,0x0E,0x3A,0x63,0x9C,0xBA,0xC0,0xD3,0xCC,0xEA,0x70,0x16,0x20,0x57,0x44,0x62,0x2A,0xCC,0x8D,0xA3,0xDE,0xF2,0xAA,0x12,0x0D,0x20,0x5F,0x0A,0x32,0x8A,0x82,0xB3,0xE2,0xC8,0xF6,0xE7,0x15,0x7E,0x23,0x45,0x18,0x2E,0x9F,0x84,0x91,0xEA,0xEC,0xED,0xA0,0x40,0x74,0x36,0x53,0x6D,0x79,0x81,0x8D,0xBC,0xDE,0x88,0xBC,0x5C,0x17,0x74,0x6B,0x24,0x37,0x2B,0xD2,0xB8,0xFA,0x84,0x90,0xBD,0x49,0x07,0x31,0x5F,0x1E,0x2E,0x31,0xD7,0xEB,0xF4,0x86,0xFB,0xEF,0x40,0x04,0x28,0x5B,0x11,0x24,0xC8,0xD2,0xEE,0xF1,0xCD,0xAE,0xB1,0x17,0x54};

int main() {
        int counterb = 86;
        for(int i=0;i<=486;i++) {
                unsigned char cur = content[i];

                asm(".intel_syntax\n"
                        "sar %1, 31\n"
                        "shr %1, 24\n"
                        "add %2, %1\n"
                        "and %2, 0xFF\n"
                        "sub %2, %1\n"
                        "mov %0, %2\n"
                        ".att_syntax\n"
                        : "=c" (counterb)
                        : "0" (counterb)
                        , "d" (counterb)
                    );

                content[i] = (counterb^content[i]);
                printf("%02x ", content[i]);

                counterb += 236;
        }

        return 0;
}

For this challenge you’re given a simple win32 executable. A strings dump shows it’s a Perl2EXE binary. Additionally, we can see there is a referenced string “RunPerl.” Jumping to where it is referenced, we see other strings that make it clear this is an imported function from “p2x5123.dll”

We’re given an ELF binary. Opening this in IDA, the strings dump shows that this is a crackme.

This challenge gave us a JAR. We extracted it, and opened the class in JDGUI. It’s immediately clear that this challenge is to brute force an MD5. The manifest file gives us the first 6 characters, and leaves us to brute force the last 6. We know the keyspace is 0-9 A-F, as previous challenge flags fit that format.