Conquer the World by IEEE-VIT 2020 Write-Up

Conquer the world by IEEE-VIT is a jeopardy style CTF open to anyone on the internet. The the challenges are spread all across the globe and participants needs to solve these challenges and collect the flags. This event is one day event and start from Sat, 31 Oct. 2020, 04:00 EDT until Sun, 02 Nov. 2020, 01:30 AM.

Binary Exploitation

1. binary1

In this challenge is a simple and straight forward challenge, in this challenge we need to execute the program from nc connection

and i download the binary file and open it with gdb

and here as you can see there is one function interesting

and i look at getenv file, and i search it on google what exactly this function do, you can read it more here. Now we need to find how to execute that function, and absolutely we can do overflow, if you see in main function you can see main function call “I” function

and if you disassemble I function you will find program using “gets” function for input, which that function is don’t check buff input.

So now we need to find how long padding we need to overflow return address and change it with our function address, i use cyclic to find it but there’s another method to find it, but first add breakpoints to I+94.

and you can see at register EIP, that register is telling us where it will go later, and copy hex value and use cyclic to find the offset that value

and that value is in index 20 which mean our buff is 20, lets make the payload

buff="A"*20

and now we need address that function we want to go

we need to pack it as hex string

import struct
target=struct.pack("I", 0x8049192) #\x92\x91\x04\x08

and i write python script, here it is

if you run it, you’ll get the flag.

i was really mad at my self, because this is just a easy challenge, but i overthinking and it make me take a long time to solved it.

Flag: IEEECTF{5Y5t3M_m3M0rY_C0rRuPT3d}

Jails

1. Jails1

Connect to netcat connection

it’s look like shell connection, and we can see there’s flag hidden folder, if you try to cat it, you can’t because it’s just look like a shell connection, but it’s not.

then i looking around and i found that grep file exist in bin directory, and i use it to grep the flag

and we get link which is link to google drive

and it’s a zip file which contain flag.txt file, but if you download it, you need to find the password for the zip file, and if you check on nc connection before, you’ll find some creds, not the password for zip file.

i remember some clue from description challenge, that said “jail number 9003 is open” and i think that’s maybe can give me connection too, and it’s a ssh connection, and it make sense because we got user and password before, and i connect to it

and there’s “flag.txt” file again, but in here we can’t do “cat” to, and again i try to look at bin directory and find “awk”, i use it to print the file

and there we go, we got the password for zip file, but it’s base64 encoded, so we need to decode it first

and that is our zip password, you just need to unzip it, and you’ll get the flag

Flag: IEEECTF{B45H_3RR0R!_PL3453_TRY_4G41N}

2. Jails2

in this challenge i just connect to nc, and this is it look like

as you can see, in this challenge, it’s not a shell connection, but it’s python interpreter, and if you pay attention to the error, you’ll know what to do next. Because i see our input is will set as argument for “eval” function, if you know what eval function do, you’ll understand that our input will set as name the function, because “eval” function can call string/argument it given as command, so i try to call “want_key()” function

but it say “Fail”, then i try to import modul to get low level shell :)

and i can do shell comand, from here we can get shell, but i just want to get the flag, so i cat all the file and i got the flag.

Flag: IEEECTF{3val_!5_7@M3}

Forensics

1. Forensic3

This challenge is a easy challenge, you just need to download or wget that page, and you’ll find some ZWSP (zero width space) in there, and you can read my prev write-up to solved it.

Flag: IEEECTF{0_WIDTH_J@CK_R@Y@N_3N0UGH?}

PARSECT // IT Security Enthusiast // STOICISM // KEEP DO SOMETHING LEGAL