Conquer the World by IEEE-VIT 2020 Write-Up
Conquer the world by IEEE-VIT is a jeopardy style CTF open to anyone on the internet. The the challenges are spread all across the globe and participants needs to solve these challenges and collect the flags. This event is one day event and start from Sat, 31 Oct. 2020, 04:00 EDT until Sun, 02 Nov. 2020, 01:30 AM.
In this challenge is a simple and straight forward challenge, in this challenge we need to execute the program from nc connection
and i download the binary file and open it with gdb
and here as you can see there is one function interesting
and i look at getenv file, and i search it on google what exactly this function do, you can read it more here. Now we need to find how to execute that function, and absolutely we can do overflow, if you see in main function you can see main function call “I” function
and if you disassemble I function you will find program using “gets” function for input, which that function is don’t check buff input.
So now we need to find how long padding we need to overflow return address and change it with our function address, i use cyclic to find it but there’s another method to find it, but first add breakpoints to I+94.
and you can see at register EIP, that register is telling us where it will go later, and copy hex value and use cyclic to find the offset that value
and that value is in index 20 which mean our buff is 20, lets make the payload
and now we need address that function we want to go
we need to pack it as hex string
target=struct.pack("I", 0x8049192) #\x92\x91\x04\x08
and i write python script, here it is
if you run it, you’ll get the flag.
i was really mad at my self, because this is just a easy challenge, but i overthinking and it make me take a long time to solved it.
Connect to netcat connection
it’s look like shell connection, and we can see there’s flag hidden folder, if you try to cat it, you can’t because it’s just look like a shell connection, but it’s not.
then i looking around and i found that grep file exist in bin directory, and i use it to grep the flag
and we get link which is link to google drive
and it’s a zip file which contain flag.txt file, but if you download it, you need to find the password for the zip file, and if you check on nc connection before, you’ll find some creds, not the password for zip file.
i remember some clue from description challenge, that said “jail number 9003 is open” and i think that’s maybe can give me connection too, and it’s a ssh connection, and it make sense because we got user and password before, and i connect to it
and there’s “flag.txt” file again, but in here we can’t do “cat” to, and again i try to look at bin directory and find “awk”, i use it to print the file
and there we go, we got the password for zip file, but it’s base64 encoded, so we need to decode it first
and that is our zip password, you just need to unzip it, and you’ll get the flag
in this challenge i just connect to nc, and this is it look like
as you can see, in this challenge, it’s not a shell connection, but it’s python interpreter, and if you pay attention to the error, you’ll know what to do next. Because i see our input is will set as argument for “eval” function, if you know what eval function do, you’ll understand that our input will set as name the function, because “eval” function can call string/argument it given as command, so i try to call “want_key()” function
but it say “Fail”, then i try to import modul to get low level shell :)
and i can do shell comand, from here we can get shell, but i just want to get the flag, so i cat all the file and i got the flag.
This challenge is a easy challenge, you just need to download or wget that page, and you’ll find some ZWSP (zero width space) in there, and you can read my prev write-up to solved it.