https://www.rhysin.fyi/tryhackmerooms daily 0.75 2023-09-09 https://www.rhysin.fyi/tryhackmerooms/blog-post-h4cked monthly 0.5 2023-09-09 https://www.rhysin.fyi/misc-ctf-rooms daily 0.75 2023-09-17 https://www.rhysin.fyi/misc-ctf-rooms/blog-post-guessinggame monthly 0.5 2023-09-11 https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/1260e600-6bee-4f30-99e3-6ed96bca039c/Ghidra_Check.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out BEAUTIFUL! Lets look at the C code to a understanding on what’s going on here. We see that there are a couple local variables created here when this function is called. char local_138 [300] This creates a char array with a size of 300 to store our input to be later used in the strcmp() function local_140 = 0x65666661726947 Now this looks interesting! What could it be?? A flag? A memory address? Lets convert it to ASCII Once we do that we get the string “effariG” But since we are using Little Endian its “Giraffe” Have we gotten it! Sadly no. There is another variable that must not be equal to 0 to get past the second if statement to print the flag if ( local_c != 0 ) -> outputFlag() Well lets abuse that character buffer size of 300. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/94a491da-e945-47ef-9031-567309bb9d7b/main_func.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out Main function of the program. Two main calls, puts() and check() https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/459ddc92-0245-4052-be1b-9aff1758579a/Buffer_Overflow.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out Nice! We just used a basic buffer overflow to run over and force the program to output the flag for us! The real flag is below. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/83a3c8ac-15f8-4eca-a742-ef5980154135/output_flag_func.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out Once we reach output flag it opens a file which in turn reads the flag into a variable and prints to the screen https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/4abcab3e-77f7-4643-ade7-aea18b5e0957/runTheGame.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out Well….. not much going on in this binary. Input-> Check-> Output-> Quit First thoughts are we can either see what it checks against in a disassembler, or try and abuse a weak input system written in C. fprint - Writes the printf to a file printf - Output a formatted string sprintf - Prints into a string snprintf - Prints into a string checking the length https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/35aa4c4e-dba0-4c63-b261-b4682f8e7c9f/Check_Func.png Misc. CTF Rooms - Patriot CTF | Guessing Game - Make it stand out The check function writes to the screen and asks for an input. once the input is received, There is a call to strcmp() which compares your input to another variable. https://www.rhysin.fyi/misc-ctf-rooms/blog-post-pctf-coffeeshop monthly 0.5 2023-09-10 https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/1a412553-4d9b-4e79-b9cd-a9c98f067723/CoffeeShop.png Misc. CTF Rooms - Patriot CTF | Coffee Shop - Make it stand out A JAR file is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension. That being said a JAR file is identical to a zip file format. Both compresses a group of files (including directories) into a single file to reduce the total size, as well as retain the directory structure of the files. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/42b901bd-a190-4aab-96eb-cc800539a816/JarInflate.png Misc. CTF Rooms - Patriot CTF | Coffee Shop - Make it stand out We now have a META-INF directory and a CoffeeShop.class We can target this .class file to see how the program inter-workings are. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/6f88707f-c38c-401b-be7e-09cb9e6b0028/javap-c.png Misc. CTF Rooms - Patriot CTF | Coffee Shop - Make it stand out Whatever it is, the way you tell your story online can make all the difference. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/7a26f2b4-bd97-44a5-b249-bf6f1a8029e7/main_Func.png Misc. CTF Rooms - Patriot CTF | Coffee Shop - Make it stand out Nice Work! If we peer into the developer comments in the main function we can see that there is a checking function that looks for very specific string values. Thankfully the Dev left them for us to find! https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/63a7056c-32b2-4469-850e-a8410f59d4fd/base64decode.png Misc. CTF Rooms - Patriot CTF | Coffee Shop - Make it stand out BOOM got that flag! https://www.rhysin.fyi/misc-ctf-rooms/csaw-baby3 monthly 0.5 2023-09-17 https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/00a40d04-5348-4645-9931-04d7d593e24d/checksec.png Misc. CTF Rooms - CSAW CTF | BabysThird - Make it stand out Nothing of interest… https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/86706e0e-ac28-4001-afd5-ce47f01da9d1/objdump.png Misc. CTF Rooms - CSAW CTF | BabysThird - Make it stand out I see 2 mains lines of interest, Memory address (120e and 1224) 120e is a scanf that handles our input 1224 calls a strcmp https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/dda4e840-b595-412b-99d9-64c7fe72ffbd/flag.png Misc. CTF Rooms - CSAW CTF | BabysThird - Make it stand out Easy Points in less than 5 min of work. https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/d8840e45-547d-42d3-afba-8ae638c19986/strings.png Misc. CTF Rooms - CSAW CTF | BabysThird - Make it stand out Well I’ll be dammed if that isn’t a flag staring right at me! Lets input it back into the program to see if that’s all we had to do! https://images.squarespace-cdn.com/content/v1/64fb766b786f6f2fca09a927/8b6dd154-0ac6-406d-9a6f-74f927cfac86/execute.png Misc. CTF Rooms - CSAW CTF | BabysThird - Make it stand out Well, not very eventful….. BUT, we can start formulating ideas about how this programs logic works. Input -> Check -> Output Maybe we can abuse the Input buffer? How is this program checking input? (Hard coded compare possibly?) https://www.rhysin.fyi/home daily 1.0 2023-09-10 https://images.squarespace-cdn.com/content/v1/6442ef4842b7395876978966/1682108240014-XDIUNHLV64UVCJ0VC29N/Sleek+Objects+1.jpg https://www.rhysin.fyi/about daily 0.75 2023-09-10 https://images.squarespace-cdn.com/content/v1/6442ef4842b7395876978966/1682108255276-FRGB1A6K371KAOZEBKNF/Light+Objects+1.jpg https://www.rhysin.fyi/contact daily 0.75 2023-09-10 https://www.rhysin.fyi/security-write-ups daily 0.75 2023-09-10