TFC CTF 2021 Writeup
TFC CTF 2021
This article provides answer keys to the TFC CTF 2021 challenges.
Jumpy [Pwn]
Attached file:here
Output of checksec
|
|
The NX is disabled so we can run on the stack.
Jumpy C code obtained by reverse engineering with ghidra.
In the binary, there is no system function and no function to read the flag. As the stack is executable, we can push shellcode on it and execute it.
First, we need to control the RIP.
I have placed a breakpoint on the ret of the main function. With 0x38 we can reach the RIP.
For a test, I send this load: “A “*0x38 + “BBBB”
The RIP is well reached.
We can now execute our shellcode on the stack.
payload = “A “*0x38 + RSP_addr + shellcode
We will push the shellcode on the RSP and call the RSP address in the RIP to be able to execute the shellcode.
We don’t have the address of the RSP but by doing a little research in the binary we have an instruction that makes a jump on the RSP, that will do the trick.
With the address of this instruction in the RIP, we can make a jump into the RSP and execute what is inside.
payload = “A”*0x38 + p64(0x00401142) + shellcode
Exploit:
|
|
Result:
Secret [Pwn]
Attached file:here
|
|
Result:
Santa [Pwn]
Attached file:here
Output of checksec
|
|
The NX is enabled, so we can’t run anything on the stack, but off the stack.
In this case, we will target the RSP.
Let’s run the binary.
Santa’s C code obtained by reverse engineering with ghidra.
I found a flag function.
Here, we will have to cause a buffer overflow and execute the code of the flag function but not on the stack.
To reach the RSP: “A” * 0x38 + “BBBBBBBB” We can see that the RSP is reached.
We can now write our exploit to execute the flag function.
Address of flag function : 0x00401152
You can find it in gdb with the command :
|
|
Exploit:
|
|
Result:
But there is a problem.
When I used it on the remote server, it did not work.
|
|
Movaps stack alignment
If you’re segfaulting on a movaps instruction in buffered_vfprintf() or do_system() in the x86_64 challenges, then ensure the stack is 16-byte aligned before returning to GLIBC functions such as printf() or system()Read more…
The solution is to call the ret of the other address one more time before calling the flag() function when designing the overflow stack, so that the rsp address can be reduced by 8.
I used the return address from init. To find it: objdump santa -M intel –disassemble=_init
New exploit:
|
|
Weid friend [Misc]
Attached file:here
I use: strong-qr-decoder
|
|
Result:
Am i doing it right? [Crypto]
Attached file:here
Premierly, I wanted to use RSACTFTOOL to find D but it did not work.
So I recover the N and the E with RSACTFTOOL.
I used some tools to retrieve the p, q and d but it does not work until i tried RSa-Cipher on Dcode
And bingo, I have the p, q and d.
So I wrote a Python script to decrypted the chall.enc file.
|
|
Result: