Umut Barış Öztunç

[ASIS CTF Finals 2018] Silver Bullet Write-up (Pwn121)

You’ve got one silver bullet, pull the triggle carefully! nc 37.139.17.37 7331 Let’s check the file information first.

1 2	$ file Silver_Bullet Silver_Bullet: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=4e82d2545f78e6611f83f48a98f2ad3a90d4d03b, stripped

The file is an ELF 32-bit LSB executable. Let’s look at its protections.

$ checksec Silver_Bullet

Arch: i386-32-little

RELRO: Full RELRO

Stack: No canary found

NX: NX enabled

PIE: No PIE (0x8048000)

Its stack is not executable. Let’s decompile… Continue Reading →

2018/11/26

[TUCTF 2018] Lisa Write-up (Pwn489)

Ayo, Johhny’s got your take from the job. Go meet up with em’ to claim your share. Oh, and stop asking to see the Mona Lisa alright. It’s embarrassing nc 18.191.244.121 12345 lisa Let’s check the file information first.

1 2	$ file lisa lisa: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7f2cd300a5518deec5cb00e27dae466022fdacd9, not stripped

… Continue Reading →

2018/11/26

[Kaspersky Industrial CTF 2018] Glardomos Write-up (Reverse587)

Find the flag inside the binary Glardomos.exe Let’s check the file information.

1 2	$ file Glardomos.exe Glardomos.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

It is a 32-bit .NET executable file. Let’s try to decompile it.

// C:\Users\umuto\Desktop\ctf\Kaspersky\glardomos\CodeCrackerTools\Glardomos.exe

// Glardomos.exe

// Global type: <Module>

// Entry point: \u202D\u200F\u202C\u206C\u206D\u202E\u206B\u200F\u206B\u206B\u200D\u202D\u202C\u206F\u202C\u206F\u200F\u200C\u206B\u202B\u202E\u202E\u200C\u202C\u206F\u202A\u202A\u206D\u206B\u202C\u206C\u206B\u202A\u200C\u202B\u206F\u202B\u200E\u202A\u202A\u202E.\u202C\u206B\u206E\u202C\u206F\u200C\u200C\u200B\u200D\u206F\u206D\u200C\u200C\u200D\u200C\u200C\u202E\u200D\u202B\u206D\u206C\u206D\u202D\u202B\u200F\u202D\u200B\u200B\u200F\u200B\u200C\u206D\u200E\u206D\u202C\u200B\u200F\u206A\u202B\u206A\u202E

// Architecture: AnyCPU (32-bit preferred)

// Runtime: .NET Framework 4.5

// Timestamp: 5BD9D357 (10/31/2018 4:07:51 PM)

using System;

using System.Runtime.CompilerServices;

[module: SuppressIldasm]

[module: ConfusedBy("ConfuserEx v1.0.0")]

The binary is heavily obfuscated with ConfuserEx v1.0.0. We need to unpack and deobfuscate this… Continue Reading →

2018/11/26

[Kaspersky Industrial CTF 2018] Doubles Write-up (Pwn635)

nc doubles.2018.ctf.kaspersky.com 10001 doubles Let’s start with looking at file information and protections.

$ file doubles

doubles: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=e5511e0c31ccc63eda7398cbbfdf1d479f4854cd, not stripped

$ checksec doubles

Arch: amd64-64-little

RELRO: Partial RELRO

Stack: No canary found

NX: NX enabled

PIE: No PIE (0x400000)

The file is an 64-bit executable that is dynamically linked and its stack is not executable. Let’s disassemble its main function.

.text:0000000000400940 ; int __cdecl main(int argc, const char **argv, const char **envp)

.text:0000000000400940 public main

.text:0000000000400940 main proc near ; DATA XREF: _start+1Do

.text:0000000000400940 push rax

.text:0000000000400941 call f

.text:0000000000400946 xor eax, eax

.text:0000000000400948 pop rcx

.text:0000000000400949 retn

.text:0000000000400949 main endp

It simply calls a… Continue Reading →

2018/11/26

[Kaspersky Industrial CTF 2018] Expression Write-up (Web50)

http://expression.2018.ctf.kaspersky.com/ The website allows us to send two numbers/tokens and an operation among +, -, *, /. Let’s send 1 + 2 to test it.

1 + 2 = 3

Token: TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6Mzoic3VtIjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO2E6Mjp7aTowO2Q6MTtpOjE7ZDoyO31zOjk6InN0cmluZ2lmeSI7czo1OiIxICsgMiI7fQ==

<a href="?action=load&token=TzoxMDoiRXhwcmVzc2lvbiI6Mzp7czoxNDoiAEV4cHJlc3Npb24Ab3AiO3M6Mzoic3VtIjtzOjE4OiIARXhwcmVzc2lvbgBwYXJhbXMiO2E6Mjp7aTowO2Q6MTtpOjE7ZDoyO31zOjk6InN0cmluZ2lmeSI7czo1OiIxICsgMiI7fQ==">Share it</a>

It calculated to result and give us a token which is clearly base64 encoded…. Continue Reading →

2018/11/24

[P.W.N. CTF 2018] Important Service Write-up (Pwn259)

Very Important Service. Flag in /opt. nc importantservice.uni.hctf.fun 13375 a30577b33492f15d382ef665ee6abda2.tar.xz a30577b33492f15d382ef665ee6abda2.tar.xz MIRROR Let’s look at the file information first.

1 2	$ file importantservice importantservice: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=384e47753749ac204fb2125a79f489a1ed476104, not stripped

It is a 64-bit ELF pie executable which is dynamically linked and not stripped. Let’s check its protections.

$ checksec importantservice

Arch: amd64-64-little

RELRO: Partial RELRO

Stack: Canary found

NX: NX enabled

PIE: PIE enabled

The… Continue Reading →

2018/10/28

PwnDiary

Everything about security

Author