index.html 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308
  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <meta charset="utf-8">
  5. <meta http-equiv="X-UA-Compatible" content="IE=edge">
  6. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  7. <meta name="description" content="None">
  8. <link rel="canonical" href="http://127.0.0.1/">
  9. <link rel="shortcut icon" href="img/favicon.ico">
  10. <title>Google CTF 2023 | Retrospective</title>
  11. <link href="css/bootstrap.min.css" rel="stylesheet">
  12. <link href="css/font-awesome.min.css" rel="stylesheet">
  13. <link href="css/base.css" rel="stylesheet">
  14. <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/styles/github.min.css">
  15. <script src="js/jquery-1.10.2.min.js" defer></script>
  16. <script src="js/bootstrap.min.js" defer></script>
  17. <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/highlight.min.js"></script>
  18. <script>hljs.initHighlightingOnLoad();</script>
  19. </head>
  20. <body class="homepage">
  21. <div class="navbar fixed-top navbar-expand-lg navbar-dark bg-primary">
  22. <div class="container">
  23. <a class="navbar-brand" href=".">Google CTF 2023 | Retrospective</a>
  24. <!-- Expander button -->
  25. <button type="button" class="navbar-toggler" data-toggle="collapse" data-target="#navbar-collapse">
  26. <span class="navbar-toggler-icon"></span>
  27. </button>
  28. <!-- Expanded navigation -->
  29. <div id="navbar-collapse" class="navbar-collapse collapse">
  30. <!-- Main navigation -->
  31. <ul class="nav navbar-nav">
  32. <li class="navitem active">
  33. <a href="." class="nav-link">Home</a>
  34. </li>
  35. <li class="dropdown">
  36. <a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown">misc <b class="caret"></b></a>
  37. <ul class="dropdown-menu">
  38. <li>
  39. <a href="mind-the-gap/" class="dropdown-item">Mind the gap</a>
  40. </li>
  41. </ul>
  42. </li>
  43. <li class="dropdown">
  44. <a href="#" class="nav-link dropdown-toggle" data-toggle="dropdown">pwn <b class="caret"></b></a>
  45. <ul class="dropdown-menu">
  46. <li>
  47. <a href="write-flag-where/" class="dropdown-item">Write flag where</a>
  48. </li>
  49. </ul>
  50. </li>
  51. </ul>
  52. <ul class="nav navbar-nav ml-auto">
  53. <li class="nav-item">
  54. <a href="#" class="nav-link" data-toggle="modal" data-target="#mkdocs_search_modal">
  55. <i class="fa fa-search"></i> Search
  56. </a>
  57. </li>
  58. <li class="nav-item">
  59. <a rel="prev" class="nav-link disabled">
  60. <i class="fa fa-arrow-left"></i> Previous
  61. </a>
  62. </li>
  63. <li class="nav-item">
  64. <a rel="next" href="mind-the-gap/" class="nav-link">
  65. Next <i class="fa fa-arrow-right"></i>
  66. </a>
  67. </li>
  68. </ul>
  69. </div>
  70. </div>
  71. </div>
  72. <div class="container">
  73. <div class="row">
  74. <div class="col-md-3"><div class="navbar-light navbar-expand-md bs-sidebar hidden-print affix" role="complementary">
  75. <div class="navbar-header">
  76. <button type="button" class="navbar-toggler collapsed" data-toggle="collapse" data-target="#toc-collapse" title="Table of Contents">
  77. <span class="fa fa-angle-down"></span>
  78. </button>
  79. </div>
  80. <div id="toc-collapse" class="navbar-collapse collapse card bg-secondary">
  81. <ul class="nav flex-column">
  82. <li class="nav-item" data-level="1"><a href="#gctf-2023-latiza" class="nav-link">gCTF 2023 | LATIZA</a>
  83. <ul class="nav flex-column">
  84. <li class="nav-item" data-level="2"><a href="#tools" class="nav-link">tools</a>
  85. <ul class="nav flex-column">
  86. </ul>
  87. </li>
  88. <li class="nav-item" data-level="2"><a href="#misc" class="nav-link">misc</a>
  89. <ul class="nav flex-column">
  90. </ul>
  91. </li>
  92. <li class="nav-item" data-level="2"><a href="#crypto" class="nav-link">crypto</a>
  93. <ul class="nav flex-column">
  94. </ul>
  95. </li>
  96. <li class="nav-item" data-level="2"><a href="#pwn" class="nav-link">pwn</a>
  97. <ul class="nav flex-column">
  98. </ul>
  99. </li>
  100. <li class="nav-item" data-level="2"><a href="#reversing" class="nav-link">reversing</a>
  101. <ul class="nav flex-column">
  102. </ul>
  103. </li>
  104. <li class="nav-item" data-level="2"><a href="#web" class="nav-link">web</a>
  105. <ul class="nav flex-column">
  106. </ul>
  107. </li>
  108. <li class="nav-item" data-level="2"><a href="#sandbox" class="nav-link">sandbox</a>
  109. <ul class="nav flex-column">
  110. </ul>
  111. </li>
  112. </ul>
  113. </li>
  114. </ul>
  115. </div>
  116. </div></div>
  117. <div class="col-md-9" role="main">
  118. <h1 id="gctf-2023-latiza">gCTF 2023 | LATIZA</h1>
  119. <p>This document contains some notes about how we solved some of the problems. The idea is to write the process to get to the solution rather than describing them. The hardest part for beginners is going from 0 to 1. The main goal is that everyone from the team can be on the same page about the resources and tools used.</p>
  120. <p>The source code of this document is in <a href="https://git.o-for.net/marx/gctf-2023-retro">this repository</a>.</p>
  121. <h2 id="tools">tools</h2>
  122. <p>Main tools used during the competition.</p>
  123. <p><strong>nc</strong></p>
  124. <p><a href="https://en.wikipedia.org/wiki/Netcat">netcat</a> command is available in Unix. Used to connect to remote services. In this case, several challenges are hosted in a server, and you should interact with the server to get the flag.</p>
  125. <pre><code>nc wfw1.2023.ctfcompetition.com 1337
  126. </code></pre>
  127. <p><strong>pwntools</strong></p>
  128. <p><a href="https://github.com/Gallopsled/pwntools#readme">pwntools</a> is a python library with several useful primitives for CTFs. In particular, we used it as a programmatic replacement for <code>nc</code>.</p>
  129. <pre><code>from pwn import *
  130. r = remote('wfw1.2023.ctfcompetition.com', 1337)
  131. r.sendline('hello')
  132. r.recvline()
  133. </code></pre>
  134. <p>This way, it is easier to automatize the interaction with the server.</p>
  135. <p><strong>Decompiler</strong></p>
  136. <p><a href="https://github.com/NationalSecurityAgency/ghidra">Ghidra</a> Great tool to decompile binaries. You get some pseudo-C code. Pictures of some problems.</p>
  137. <p>I've read in the general gctf discord about some alternatives that I haven't tried:
  138. - <a href="https://rada.re/n/">Radare2</a>
  139. - <a href="https://hex-rays.com/ida-pro/">IDA</a> This one seems very good but is not free.
  140. - <a href="https://binary.ninja/">Binary Ninja</a></p>
  141. <p><strong>Debugger</strong></p>
  142. <p><a href="https://www.sourceware.org/gdb/">dbg</a>
  143. - <a href="https://github.com/pwndbg/pwndbg">pwndbg</a> <code>is a GDB plug-in that makes debugging with GDB suck less</code> This one works great.</p>
  144. <p><strong>Solver</strong></p>
  145. <ul>
  146. <li><a href="https://github.com/Z3Prover/z3">Z3</a> is a powerful theorem prover. You can think about it like an SAT solver on steroids.</li>
  147. <li>What was the other alternative mentioned by @alex for C++ symbolic execution?</li>
  148. </ul>
  149. <p><strong>Other UNIX tools</strong></p>
  150. <ul>
  151. <li>readelf</li>
  152. <li>strings</li>
  153. <li>???</li>
  154. </ul>
  155. <p><strong>Hex editor</strong></p>
  156. <p>Edit binary files with hex editors. I have used <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.hexeditor">Hex Editor</a> extension from VSCode.</p>
  157. <h2 id="misc">misc</h2>
  158. <p>Everything that doesn't fit in the other categories.</p>
  159. <ul>
  160. <li><a href="mind-the-gap/">MIND THE GAP</a></li>
  161. <li>NPC</li>
  162. <li>PAPAPAPA</li>
  163. <li>SYMATRIX</li>
  164. <li>TOTALLY NOT BRUTE FORCE</li>
  165. </ul>
  166. <h2 id="crypto">crypto</h2>
  167. <p>Usually, it is easy to understand the goal by inspecting the given code. The problem is generally about cracking some insecure crypto primitive involving "heavy" math.</p>
  168. <ul>
  169. <li>CURSVED</li>
  170. <li>LEAST COMMON GENOMINATOR</li>
  171. <li>MHK2</li>
  172. <li>MYTLS</li>
  173. <li>PRIMES</li>
  174. <li>ZIP</li>
  175. </ul>
  176. <h2 id="pwn">pwn</h2>
  177. <p>You are given an application (usually in a stand-alone binary or a binary running in a server) with some "clear" functionality containing a not-so-clear vulnerability. In this case, the goal is to exploit the vulnerability to make the app do something unintended. Some common vulnerabilities are gaining shell access or reading a file you are not supposed to read.</p>
  178. <ul>
  179. <li>GRADEBOOK</li>
  180. <li>KCONCAT</li>
  181. <li>STORYGEN</li>
  182. <li>UBF</li>
  183. <li>WATTHEWASM</li>
  184. <li><a href="write-flag-where/">WRITE-FLAG-WHERE</a></li>
  185. </ul>
  186. <h2 id="reversing">reversing</h2>
  187. <p>You are given an application (usually in a stand-alone binary or a binary running in a server) with an obscure functionality. The first part of the goal is trying to figure out what the application is doing by inspecting the code.</p>
  188. <ul>
  189. <li>AUXIN</li>
  190. <li>FLANGTON</li>
  191. <li>JXL</li>
  192. <li>OLDSCHOOL</li>
  193. <li>PNG2</li>
  194. <li>TURTLE</li>
  195. <li>ZERMATT</li>
  196. </ul>
  197. <h2 id="web">web</h2>
  198. <p>You are given a web application with some functionality. The goal is to exploit some vulnerability in the web application to get the flag. This is where you will find the most common vulnerabilities, like SQL injection, XSS, etc.</p>
  199. <ul>
  200. <li>BIOHAZARD</li>
  201. <li>NOTENINJA</li>
  202. <li>POSTVIEWER V2</li>
  203. <li>UNDER-CONSTRUCTION</li>
  204. <li>VEGGIE SODA</li>
  205. </ul>
  206. <h2 id="sandbox">sandbox</h2>
  207. <p>You are given a sandboxed environment where you can run some code. The goal is to exploit some vulnerability in the sandbox to get the flag.</p>
  208. <ul>
  209. <li>FASTBOX</li>
  210. <li>GVISOR</li>
  211. <li>LIGHTBOX</li>
  212. <li>V8BOX</li>
  213. </ul></div>
  214. </div>
  215. </div>
  216. <footer class="col-md-12">
  217. <hr>
  218. <p>Documentation built with <a href="https://www.mkdocs.org/">MkDocs</a>.</p>
  219. </footer>
  220. <script>
  221. var base_url = ".",
  222. shortcuts = {"help": 191, "next": 78, "previous": 80, "search": 83};
  223. </script>
  224. <script src="js/base.js" defer></script>
  225. <script src="search/main.js" defer></script>
  226. <div class="modal" id="mkdocs_search_modal" tabindex="-1" role="dialog" aria-labelledby="searchModalLabel" aria-hidden="true">
  227. <div class="modal-dialog modal-lg">
  228. <div class="modal-content">
  229. <div class="modal-header">
  230. <h4 class="modal-title" id="searchModalLabel">Search</h4>
  231. <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
  232. </div>
  233. <div class="modal-body">
  234. <p>From here you can search these documents. Enter your search terms below.</p>
  235. <form>
  236. <div class="form-group">
  237. <input type="search" class="form-control" placeholder="Search..." id="mkdocs-search-query" title="Type search term here">
  238. </div>
  239. </form>
  240. <div id="mkdocs-search-results" data-no-results-text="No results found"></div>
  241. </div>
  242. <div class="modal-footer">
  243. </div>
  244. </div>
  245. </div>
  246. </div><div class="modal" id="mkdocs_keyboard_modal" tabindex="-1" role="dialog" aria-labelledby="keyboardModalLabel" aria-hidden="true">
  247. <div class="modal-dialog">
  248. <div class="modal-content">
  249. <div class="modal-header">
  250. <h4 class="modal-title" id="keyboardModalLabel">Keyboard Shortcuts</h4>
  251. <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
  252. </div>
  253. <div class="modal-body">
  254. <table class="table">
  255. <thead>
  256. <tr>
  257. <th style="width: 20%;">Keys</th>
  258. <th>Action</th>
  259. </tr>
  260. </thead>
  261. <tbody>
  262. <tr>
  263. <td class="help shortcut"><kbd>?</kbd></td>
  264. <td>Open this help</td>
  265. </tr>
  266. <tr>
  267. <td class="next shortcut"><kbd>n</kbd></td>
  268. <td>Next page</td>
  269. </tr>
  270. <tr>
  271. <td class="prev shortcut"><kbd>p</kbd></td>
  272. <td>Previous page</td>
  273. </tr>
  274. <tr>
  275. <td class="search shortcut"><kbd>s</kbd></td>
  276. <td>Search</td>
  277. </tr>
  278. </tbody>
  279. </table>
  280. </div>
  281. <div class="modal-footer">
  282. </div>
  283. </div>
  284. </div>
  285. </div>
  286. </body>
  287. </html>
  288. <!--
  289. MkDocs version : 1.4.3
  290. Build Date UTC : 2023-06-28 23:44:24.921742+00:00
  291. -->