Is eval safe yet? Arbitrary code execution in Python

TL;DR Found use of eval in the Python gettext module. Bypassed weak security checks. Gained arbitrary code execution. Background In Beyond PEP 8, an excellent talk by Raymond Hettinger, he jokingly comments that namedtouple is implemented using eval (or exec, to be exact), and that it’s defensible given the right circumstances. While this is sometimes true, I figured I’d clone the cpython repository and grep for any usages of eval-like functions.
Read On →

RGBPad project

Xil.se is more than just a CTF team. We’re doing some hardware projects and will start posting about them now. First out is the RGB Pad. A quite quick and dirty project, but fun nonetheless. RGBPad is a button pad with fully addressable RGB LEDs. It is acting as an I2C slave and is designed to be connected in an array of multiple devices. Architecture Each RGBPad has an STM32F030C8T6 on board that acts as an I2C slave with a unique ID.
Read On →

Pwn2Win CTF 2016 Secret Accounts (Py 80) Writeup

Problem Description: Through many months of sniffing, we discovered a server running a software which the Club uses to manage information about secret bank accounts abroad. We even obtained its source code. We need to obtain access to the system in order to discover the real name of the owner of the account possessing the greater amount of money, in which bank it is, and the real amount. As you might expect, it seems that the Club has hunkered down to assert only authorized people, which really know what they are doing, are able to operate this system and to interpret information provided by it.
Read On →

Pwn2Win CTF 2016 Dump (Forensics 50) Writeup

Problem Description: We know this dump was generated by a process which was executing as root in the computer, and that it was reading directly from a /dev device. Probably it is part of a keylogger module included in a rootkit which is being tested by the Club. Help us to unveil this message, allowing us to discover why they infected this specific machine. Solution The dump file contained data that seemed to align well for 24 bytes, indicating that each record of the captured input was stored in some 24 byte datastructure.
Read On →

Pwn2Win CTF 2016 Painel Message (Forensics 50) Writeup

Problem Description: The last month we gained access to a video portraying a Club’s electronics project. It looks like they want to insert this display into the the digital panels found in urban buses that circulate in large cities. We need to discover what this is all about. Those who automate the ENTIRE resolution of this challenge deserve 20 bonus points. Show your code to a judge (@). ;) Solution We were given a video of a two-row LED display with the leds being turned on and off in 29 different configurations.
Read On →

Pwn2Win CTF 2016 Simple Cryptography (Crypto 60) Writeup

Problem Description: The club decided to evolve the security of communication for something more efficient and simple to be implemented … simply too much! The technique was reproduced in the message encoded below: GA3TCYZRGU2DKXZXG5PTENZTHAZDSXZQHEYTKMJUGBSV6MBXGFSF6MTDGIYTGYJSMMZTIM3FL4YDOMLCL42GENJRGU2TIOBVGQ2WIXZRGBPTAZQ= Add CTF-BR{} to submit the resulting hash. Solution Figuring out the encoding scheme didn’t take many minutes. Noticing that the encoding alphabet seems to be a subset of Base64, we gave Base32 a shot. After decoding it, we were given the string: 071c1545_77_273829_0915140e_071d_2c213a2c343e_071b_4b515548545d_10_0f This is of course not just hex-encoded ASCII chars, but it’s been processed in some way.
Read On →

Pwn2Win CTF 2016 Sequences (PPC 40) Writeup

Problem Description: Warm up for the next PPC challenges. The Club guys love sequences, and it is always good to know your enemy. We will show you some sequences, and after each sequence you need to predict the values which correctly fill the asked positions. We ALWAYS adopt the convention that position 1 corresponds to the first number of the sequence. Output sent by the server: Position - Sequence Result format expected by the server: result1,result2,result3,result4… Solution This challenge was pretty straight forward.
Read On →

Pwn2Win 2016 Sleeper Cell (Reverse) Writeup

Problem N/A Solution We get an ELF 64-bit executable that we should reverse. Running it gives us a cat-like interface; it echoes back what comes in on stdin. Looking at the disassembly, I don’t really feel like understanding it - let’s do dynamic RE instead. Entering a bunch of ‘A’s and stepping, I find interesting things happening: [-------------------------------------code-------------------------------------] 0x400e49: lea rsi,[rsp+0x10] 0x400e4e: mov edi,0x6020e0 0x400e53: call 0x400d00 <_ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E@plt> => 0x400e58: mov rdx,QWORD PTR [rax] 0x400e5b: mov rdx,QWORD PTR [rdx-0x18] 0x400e5f: test BYTE PTR [rax+rdx*1+0x20],0x5 0x400e64: jne 0x400f20 0x400e6a: lea rsi,[rsp+0x10] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe790 --> 0x601de0 --> 0x4011e0 (cmp QWORD PTR [rip+0x200c18],0x0 # 0x601e00) 0008| 0x7fffffffe798 --> 0x4010ff (add rsp,0x18) 0016| 0x7fffffffe7a0 --> 0x615598 ('A' <repeats 44 times>) 0024| 0x7fffffffe7a8 --> 0xff 0032| 0x7fffffffe7b0 --> 0x615548 ("DFHLNRTXDFLPRVBHJPTVBFLTXZDFJXBHJTVBHLRXZJLP") 0040| 0x7fffffffe7b8 --> 0x40171d (add rbx,0x1) 0048| 0x7fffffffe7c0 --> 0x615608 ("DFHLNRTXDFLPRVBHJPTVBFLTXZDFJXBHJTVBHLRXZJLP") 0056| 0x7fffffffe7c8 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Breakpoint 1, 0x0000000000400e58 in ??
Read On →

Pwn2Win 2016 QRGrams Writeup

Problem N/A. Something about QR and anagrams. Solution Connect to a server and get a bunch of ascii and ansi QR codes, then are supposed to reply with a text and some numbers. I solved it using qrtools, png and an anagram solver I found using Google. The anagram solver needs a dictionary to work, so I had to find a sorted word list by frequency (N-gram, the hint in the challenge name).
Read On →

Pwn2Win 2016 Square Infinite Spiral Writeup

Problem Didn’t save the original text but here are my words: Imagine an infinite 2d grid. Start at (0, 0). Move one unit right, then turn left whenever possible so that you don’t intersect with your trail. I.e. make a counter clock wise spiral. The challenge input is the number of iterations, the solution is the coordinate where the point ends up. For input=4, the solution is (-1, 1) ---------- ------ | | | | | .--- | -------- Solution It took a while for me to get what the challenge really was about.
Read On →