Ryan Fitblip

## writeup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                Fitblip
                / writeup.md
            
            
              Created
              October 29, 2020 22:13
            
              
                Hack The Vote 2020 CTF - x96 Writeup
              
          
    x96

Full disclosure: this is the happy path, there were a lot of sad paths with this challenge and many hours spent pulling out my hair to get to the flag. Very cool challenge though!
Starting: What is this thing?

The first obvious step is to get info on the binary itself, and running it to see what it does.
$ readelf -h ./x96


## Magic issues
# Before patch
    [objdump -p]                     [VDB]
Magic                   010b         0b01
MajorLinkerVersion      7            (7)
MinorLinkerVersion      0            (0)
SizeOfCode              00007000     00007000
SizeOfInitializedData   00007000     00007000
SizeOfUninitializedData 00019000     00019000
AddressOfEntryPoint     00020cd0     00020cd0
BaseOfCode              0001a000     0001a000

## ctl_parser_structures.py
from construct import Struct, Byte, Int16ub, Int64ub, Enum, Bytes, Int24ub, this, GreedyBytes, GreedyRange, Terminated, Embedded

MerkleTreeHeader = Struct(
    "Version"         / Byte,
    "MerkleLeafType"  / Byte,
    "Timestamp"       / Int64ub,
    "LogEntryType"    / Enum(Int16ub, X509LogEntryType=0, PrecertLogEntryType=1),
    "Entry"           / GreedyBytes
)

## db.py
import os
import re

from pymongo import MongoClient
from bson.objectid import ObjectId

client = MongoClient()
db = client.db

def get_or_add_user(_id=None, name=None):

## slack_notification.py
import certstream
import json
import requests

# Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/
WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]

NEEDLE = "coinbase"

# Search for domains with a keyword in them and write the corresponding certificate to a file

## certstalgia.sh
certstream --json | \
  jq -r '.data | [ (.seen|floor|tostring), (.leaf_cert.all_domains[0]|split(".")|.[-1]), .chain[0].subject.CN, "200", "0" ] | join("|")' | \
  logstalgia -g "Certificate Authorities,CODE=^200,0" --hide-response-code --hide-paddle --path-abbr-depth -1 --no-bounce -s 2 --address-abbr-depth -1

## gist:5218816
import sys

string = sys.argv[-1]
lines = []

print "String length : %d" % len(string)
print "Opcodes to push this string onto the stack :"

for i in range(0,len(string),4):
  line = string[:4]

## find_needle.py
import certstream
import base64

NEEDLE = "paypal"

# Search for domains with a keyword in them and write the corresponding certificate to a file
def certstream_callback(message):
    if message['message_type'] == "certificate_update":
        all_domains = message['data']['leaf_cert']['all_domains']
        if NEEDLE.lower() in " ".join(all_domains).lower():

## get_all_ctl_counts.py
import requests
import json
import locale
locale.setlocale(locale.LC_ALL, 'en_US')

ctl_log = requests.get('https://www.gstatic.com/ct/log_list/log_list.json').json()

total_certs = 0

human_format = lambda x: locale.format('%d', x, grouping=True)

## FlowersToTheWorld.sql
SELECT
  url,
  COUNT(*) AS total_certs
FROM
  [ctl-lists:certificate_data.scan_data]
WHERE
  (REGEXP_MATCH(all_dns_names,r'.*flowers-to-the-world.*'))
GROUP BY
  url
ORDER BY
	# Before patch
	[objdump -p] [VDB]
	Magic 010b 0b01
	MajorLinkerVersion 7 (7)
	MinorLinkerVersion 0 (0)
	SizeOfCode 00007000 00007000
	SizeOfInitializedData 00007000 00007000
	SizeOfUninitializedData 00019000 00019000
	AddressOfEntryPoint 00020cd0 00020cd0
	BaseOfCode 0001a000 0001a000
	from construct import Struct, Byte, Int16ub, Int64ub, Enum, Bytes, Int24ub, this, GreedyBytes, GreedyRange, Terminated, Embedded

	MerkleTreeHeader = Struct(
	"Version" / Byte,
	"MerkleLeafType" / Byte,
	"Timestamp" / Int64ub,
	"LogEntryType" / Enum(Int16ub, X509LogEntryType=0, PrecertLogEntryType=1),
	"Entry" / GreedyBytes
	)
	import os
	import re

	from pymongo import MongoClient
	from bson.objectid import ObjectId

	client = MongoClient()
	db = client.db

	def get_or_add_user(_id=None, name=None):
	import certstream
	import json
	import requests

	# Set the webhook_url to the one provided by Slack when you create the webhook at https://my.slack.com/services/new/incoming-webhook/
	WEBHOOK_URL = os.environ["SLACK_WEBHOOK_URL"]

	NEEDLE = "coinbase"

	# Search for domains with a keyword in them and write the corresponding certificate to a file
	certstream --json \| \
	jq -r '.data \| [ (.seen\|floor\|tostring), (.leaf_cert.all_domains[0]\|split(".")\|.[-1]), .chain[0].subject.CN, "200", "0" ] \| join("\|")' \| \
	logstalgia -g "Certificate Authorities,CODE=^200,0" --hide-response-code --hide-paddle --path-abbr-depth -1 --no-bounce -s 2 --address-abbr-depth -1
	import sys

	string = sys.argv[-1]
	lines = []

	print "String length : %d" % len(string)
	print "Opcodes to push this string onto the stack :"

	for i in range(0,len(string),4):
	line = string[:4]
	import certstream
	import base64

	NEEDLE = "paypal"

	# Search for domains with a keyword in them and write the corresponding certificate to a file
	def certstream_callback(message):
	if message['message_type'] == "certificate_update":
	all_domains = message['data']['leaf_cert']['all_domains']
	if NEEDLE.lower() in " ".join(all_domains).lower():
	import requests
	import json
	import locale
	locale.setlocale(locale.LC_ALL, 'en_US')

	ctl_log = requests.get('https://www.gstatic.com/ct/log_list/log_list.json').json()

	total_certs = 0

	human_format = lambda x: locale.format('%d', x, grouping=True)
	SELECT
	url,
	COUNT(*) AS total_certs
	FROM
	[ctl-lists:certificate_data.scan_data]
	WHERE
	(REGEXP_MATCH(all_dns_names,r'.flowers-to-the-world.'))
	GROUP BY
	url
	ORDER BY