TISC 2024
TISC 2024 ran from 13th to 29th September this year, right after my prelims ended on the 13th. (I actually went cycling on the afternoon of 13th and got lost and only came home at midnight so I couldn’t play as I had planned)
Also before the CTF started I was already 1st place because of alphabetical order :). I knew I was fated to get 1st place.
In an act of heroic defiance, I defied fate and did not get 1st place, solving 11/12 of the challenges in the 16 day duration.
Here are my writeups for the 12 challenges in the CTF. I went the RE route instead of web/cloud this year, and it was pretty fun so I don’t regret it.
(I wrote some of these writeups in a hurry because of my upcoming IB finals that I need to study for - I’ll update them after my finals are over)
Navigating the Digital Labyrinth (Level 01)
The dust has settled since we won the epic battle against PALINDROME one year ago.
Peace returned to cyberspace, but it was short-lived. Two months ago, screens turned deathly blue, and the base went dark. When power returned, a mysterious entity glitched to life on our monitors. No one knows where it came from or what it plans to do.
Amidst the clandestine realm of cyber warfare, intelligence sources have uncovered the presence of a formidable adversary, Vivoxanderith—a digital specter whose footprint spans the darkest corners of the internet. As a skilled cyber operative, you are entrusted with the critical mission of investigating this elusive figure and their network to end their reign of disruption.
Recent breakthroughs have unveiled Vivoxanderith’s online persona: vi_vox223. This revelation marks a pivotal advancement in our pursuit, offering a significant lead towards identifying and neutralizing this threat.
Our mission now requires a meticulous investigation into vi_vox223’s activities and connections within the cyber underworld. Identifying and tracking Vivoxanderith brings us one crucial step closer to uncovering the source of the attack and restoring stability to our systems. It is up to you, agent!
Searching for the mysterious vi_vox223 using
Sherlock, we see an Instagram
profile with the same name. Under his
stories, this elusive figure has created a Discord bot with ID
1284197383864979486. We have the exclusive opportunity to grace our server with
the bot’s presence using this link:
We need to have the elusive D0PP3L64N63R role to unlock the hidden menu. After
that, we can access the filesystem and download the Update_030624.eml file.
Opening this file, there is an email attached:
Dear Headquarters,=20 |
Using the location IDs provided, we can pinpoint the location to this:
We can also visit the Linkedin provided to access the secret agent under the guise of a Telegram bot with username @TBL_DictioNaryBot. Sending the identified location will confirm our identity and give us the flag.
TISC{OS1N7_Cyb3r_InV35t1g4t0r_uAhf3n}
Language, Labyrinth and (Graphics)Magick (Level 02)
Good job on identifying the source of the attack! We are one step closer to identifying the mysterious entity, but there’s still much we do not know.
Beyond Discord and Uber H3, seems like our enemies are super excited about AI and using it for image transformation. Your fellow agents have managed to gain access to their image transformation app. Is there anyyy chance we could find some vulnerabilities to identify the secrets they are hiding?
In this level, PALINDROME employs the power of LLMs to edit photographic evidences of their crimes. we’re provided with 1 web interface (3, actually, cos remote kept crashing) where we can upload images, specify some transformation on the image, and download the newly transformed image. It uses an LLM to generate GraphicsMagick commands which are run on the server (this is totally unnecessary and it is clear PALINDROME just wants to hop on the LLM bandwagon). We can get the LLM to generate our own GraphicsMagick commands like so:
gm convert <input> <output> |
and the LLM will replace the input and output filenames accordingly. Neat!
In GraphicsMagick, we can add comments to images, which will append the string to the end of the image file - we can see this when we strings it. Since the command is being ran directly in the shell (bash presumably), we can use globbing to put the contents of flag.txt in the comments.
gm convert <input> -comment "$(cat /**/flag*.txt)" <output> |
Uploading any image and entering this command, then downloading the image and
running strings on it, will give us the flag.
TISC{h3re_1$_y0uR_pr0c3s5eD_im4g3_&m0Re}
Digging Up History (Level 03)
Ah, who exactly is behind the attacks? If only our enemies left more images on their image transformation server. We are one step closer, but there is still so much to uncover…
A disc image file was recovered from them! We have heard that they have a history of hiding sensitive data through file hosting sites… Can you help us determine what they might be hiding this time?
Looks like we got our hands on one of PALINDROME’s agent’s disk images… We’re
provided with a huge 1.3GB csitfanUPDATED0509.ad1 file. We can use FTK Imager
to open this and view the contents of the disk.
The title of the challenge hints towards checking out the user’s browser
history, so we should do exactly that. Under the Documents and Settings
folder, there are 2 browser folders - Mozilla and “Mypal68” (but the Mozilla
folder was empty). Going to “Mypal68”, we can see 2 profiles -
ibxh2pqf.default and a80ofn6a.default-default. The former is mostly empty,
so let’s look at the latter, where we find the places.sqlite file. This file
generally contains the browser history for Mozilla browsers - exactly what we
wanted! Let’s extract this file and open it.
sqlite> select * from sqlite_master; |
Wow so many tables…
Luckily, the moz_places table was the only table we needed - when dumping the
contents of this table, we see the following row:
17|https://csitfan-chall.s3.amazonaws.com/flag.sus|flag.sus|moc.swanozama.3s.llahc-naftisc.|0|0|0|0|1725522130630000|0Ds_Z7hyaY9W|0|47357524652742|||10 |
The downloaded file contains the Base64-encoded flag.
TISC{tru3_1nt3rn3t_h1st0r13_8445632pq78dfn3s}
AlligatorPay (Level 04)
In the dark corners of the internet, whispers of an elite group of hackers aiding our enemies have surfaced. The word on the street is that a good number of members from the elite group happens to be part of an exclusive member tier within AlligatorPay (agpay), a popular payment service.
Your task is to find a way to join this exclusive member tier within AlligatorPay and give us intel on future cyberattacks. AlligatorPay recently launched an online balance checker for their payment cards. We heard it’s still in beta, so maybe you might find something useful.
In this level, PALINDROME is using a service to conduct their shady money laundering schemes where we can upload an “AGPAY” card. The card validation is done client-side, so we can reverse the logic to create our own card. If our card’s balance is equal to 313371337, we will get the flag.
The card format has several things we need to look out for:
- Starts with AGPAY and ends with ENDAGP
- Has data corresponding to
card_number + expiry_date + balance, encrypted using AES-CBC, with a key and IV of our choice - Has a checksum of
md5(encrypted_data + iv)
I pasted the script into Gemini and asked it to create a Python script for me. It was actually pretty good and I didn’t have to modify much to obtain a valid card!
import random |
After generating our card and uploading it, we get our flag.
TISC{533_Y4_L4T3R_4LL1G4T0R_a8515a1f7004dbf7d5f704b7305cdc5d}
Hardware isn’t that Hard! (Level 05)
Shucks… it seems like our enemies are making their own silicon chips??!? They have decided to make their own source of trust, a TPM (Trusted Platform Module) or I guess their best attempt at it.
Your fellow agent smuggled one out for us to reverse engineer. Don’t ask us how we did it, we just did it, it was hard …
All we know so far is that their TPM connects to other devices using the i2c bus and does some security stuff inside. Agent! Your mission, should you choose to accept it, is to get us unparalleled intel by finding their TPM’s weakness and exfiltrating its secrets.
You will be provided with the following compressed flash dump:
- MD5 (flash_dump.bin.xz) = fdff2dbda38f694111ad744061ca2f8a
Flash was dumped from the device using the command: esptool.py -p /dev/REDACTED -b 921600 read_flash 0 0x400000 flash_dump.bin
You can perform your attack on a live TPM module via the i2c implant device hosted behind enemy lines: nc chals.tisc24.ctf.sg 61622
We’re provided with a flash dump of the esp32 chip. The flash dump contains several partitions, including the app that we’re interested in. We can view these partitions using https://github.com/tenable/esp32_image_parser.
$ : esp32_image_parser.py show_partitions flash_dump.bin |
And we can dump the app0 partition into an ELF file that we can reverse:
esp32_image_parser.py create_elf flash_dump.bin -partition app0 -output app0.elf |
Unfortunately, the chip uses the xtensa instruction set, which IDA doesn’t
support that well - we can’t decompile stuff nicely. But luckily, Ghidra is able
to output nice decomp so we’ll use Ghidra instead!
I was hoping that the main function would be easy to find, but that’s not the
case. In here, we start at the start function, which has a lot a lot of calls
everywhere. Even worse, the binary is stripped so we don’t have proper function
names. I tried to trace it but gave up after spending hours trying to identify
the main function.
After clicking through Ghidra for pretty long, I found this banner string in
.dram0.data that seems quite suspicious:
s__3ffbdb8a XREF[2,13]: 400d0058(*), |
This string seems like a likely banner output from the chip when we interact with it. We can jump to its xrefs to find our main function.
void FUN_400d1614(uint param_1) { |
Some comparisons are being made, presumably against our input. So that’s how we can interact with the chip - by sending a byte of either F, M or C. The protocol is using the I2C protocol, which according to Wikipedia and the instructions provided on remote, consists of a 2 byte data stream. The 1st byte is used to specify the direction of data transfer (read or write) and the address of the chip, while the second byte is the data itself. Since we also need to receive output from the bus, reading is a 2-step process - first read from the chip into the bus, then from the bus into console.
I used the following to guess the address of the chip:
for i in range(0x7f): |
When we interact with the “F” endpoint, we get a random string of data that is probably the encrypted flag. Upon initialization, the chip randomly generates a seed key that is later processed and used to encrypt the flag. Based on this, we can determine the possible keys based on the flag format, and narrow down the possible keys after each encryption, until we have the final key which we can use to decrypt the flag.
I used this script to interact with the chip and read the flag:
from pwn import * |
RE Path - Noncevigator (Level 06)
I guess their Trusted Platform Modules were not so trusted afterall. What about blockchain? Blockchain is secure by design, right?
It seems like our enemies may have hidden some of their treasures somewhere along in our little island, all secured by this blockchain technology.
We have heard rumours that to access the treasure, you must navigate to the correct location and possess the correct value of the “number used only once”. This unique code is essential for unlocking the fortified gate guarding the treasure!
Ensure your wallet is sufficiently funded for travel and any potential challenges you may encounter. Your journey begins now. It’s your mission now - crack the code and see what treasures they are hiding!
This was strangely not an RE challenge but a blockchain/pwn challenge. The main 2 vulnerabilities are here:
function withdraw() external { |
We can do a reentrancy attack here. I used the following to withdraw all the funds:
function withdraw() external { |
Once we have sufficient funds, we can call the startUnlockingGate function.
travelFundVaultAddr = tfvAddr; |
And here, there isn’t actually any function called “unlockgate()” in the contract (the contracts for treasureLocations were not released). Eventually, we need to deploy our own contract to implement this function.
But how do we deploy our own contract to the hardcoded addresses? When
generating an address for a contract deployment using the CREATE opcode (not
CREATE2), the EVM takes into account the deployer’s address and a nonce that
increments every time a contract is deployed. This address is thus deterministic
and can even be controlled partially by the attacker. We can write a script to
bruteforce a possible nonce value that will give us one of the contract’s
addresses:
import rlp |
From this, pulauSemakau’s address seems to be manually set by the challenge to be achievable within a small nonce (30-50). So we can repeatedly deploy contracts until we deploy a contract at the required nonce value.
What can we do with the unlockGate call? Since it’s being called with
delegatecall, the memory layout of the calling contract is inherited directly
by the callee. So, we can edit the isLocationOpen to directly set
pulauSemakau to true and get the flag.
Full exploit contracts:
pragma solidity ^0.8.19; |
RE Path - Baby Flagchecker (Level 07)
You’ve come so far, brave agents! Let us continue our mission to identify our threats, and retrieve the crucial information that they are hiding from the world.
While scanning their network, your fellow agents chanced upon a tool used by the adversary that checks for the validity of a secret passphrase.
We know that they use this phrase for establishing communications between one another, but the one we have is way outdated… It’s time for an update.
This level had a bit a difficult RE but it was partly a blockchain chall too. Seems like PALINDROME really likes blockchain…
The web interface has SSTI that allows us to view the entire response data object from this function. Unfortunately we can’t use this for RCE because it limits our input length to 32, which is too short for an RCE payload.
def call_check_password(setup_contract, password): |
setup_contract_bytecode and adminpanel_contract_bytecode are the partial
bytecodes of the respective contracts. I used https://ethervm.io/decompile to
decompile the bytecode into semi-readable Solidity code, but it wasn’t really
helpful. In the end, I painfully parsed the assembly step-by-step to figure
out the stack state and stuff.
After hours of reversing, my revelation was that in the assembly for
adminpanel, we can see that it checks if the input is of length 16. If so, it
slices off the TISC prefix here:
0023 60 PUSH1 0x04 |
and calls the secret contract to get the flag (I think, we can’t actually tell from the delegatecall).
0000 5F PUSH0 |
Afterwards, it does some comparison stuff here:
0064 60 PUSH1 0x0d // for loop until 0xd |
I’m not sure why, but apparently matching each character spends a bit more gas. So based on the gas usage which we can see via the SSTI, we can sequentially determine each character of the flag. Each time the gas increases, we know that character is correct.
This is the payload I used:
{_________}{{response_data}} |
TISC{g@s_Ga5_94S} |
Wallfacer (Level 08)
Breaking news! We’ve managed to seize an app from their device.
It seems to be an app that stores user data, but doesn’t seem to do much other than that… The other agent who recovered this said he heard them say something about parts of the app are only loaded during runtime, hiding crucial details.
It’s up to you now! Can you break through the walls and unveil the hidden secrets within this app?
Is PALINDROME secretly the Earth-Trisolaris Organization??
We’re provided with an Android app which seems to be a very useless input field
that does nothing but store the input in-memory. Opening the APK in JADX, we can
see a hidden activity in AndroidManifest.xml (com.wall.facer.query). We can
manually load this activity in Android Studio to reveal a activity that requests
for a IV and secret key, to decrypt the flag.
Also, we can see a few suspicious values in res/values/strings.xml.
<string name="base">d2FsbG93aW5wYWlu</string> |
The base64 values are wallowinpain, data/ and sqlite.db respectively.
Unzipping the APK and going to the assets folder, we can see the sqlite.db and
several strange files in data/:
$ : ls |
sqlite.db is not a valid SQLite database (though it has the SQLite 3 magic
bytes) and trying to open it gives an error. I spent a good amount of time
thinking the db was encrypted and tried to decrypt it to no avail.
After digging in JADX a bit, I found this really suspicious function that seems to be reading a file and decrypting it:
public C0289q1(byte[] bArr) { |
public static ByteBuffer K(Context context, String str) { |
Most likely, this function is decrypting the mysterious sqlite.db file. Using
Frida, I re-implemented the 2 sections in JS using the wrapper provided:
function ByteBufferToInt(byteArray) { |
On logging the result, we can convert it from the byte array into a binary in Python and obtain a decrypted .dex file! (PALINDROME is really sneaky)
Opening the new .dex file in JADX, we see a few more clues:
- Entering “I am a tomb” into the MainActivity input pwill generate a .so native library and load it into the application. (“I am a tomb” - the scene where Blue Space encounters the 4D spaceship about to be 3-dimensionalized)
- “Only Advance” will trigger a function from the native library to generate the IV and key for flag decryption. (“Only Advance” - Wade when sending Tianming’s brain to the First Trisolaran Fleet)
However, when we enter in the 2 inputs, in the logs, we see that we need to
patch the binary to bypass certain checks. In Frida, we can hook onto
System.load, just before the native library is deleted, so we can extract it
from the device’s filesystem and reverse/patch it.
System.load.implementation = function(library) { |
The following part was really painful to reverse and patch. There are 3 checks that we need to bypass:
- “I need a very specific file to be available”:
/sys/wall/facerfile needs to exist. Unfortunately, we cannot create the file normally, but we can patch the binary to change it to check for some other file, like/etc/passwd. - I don’t even know what the next function checks, but we can patch the value of RAX used in the jumptable so that we jump to the “Input verification success” part instead of the “hahaha” part.
- “Bet you can’t fix the correct constant”: I also don’t know what’s going on here, but we can just patch the binary to set the RAX value to jump to not the “I’m afraid I’m going to have to stop you” part
After all the patches were done, we can technically hook onto System.load and
replace the library in the filesystem with the patched one. However, I couldn’t
get it to work properly, so I patched the loaded library in-memory instead.
Log.i.overload("java.lang.String", "java.lang.String").implementation = function(tag, msg) { |
After that, we pass all the checks, it spits out the key and IV, and we can put it in the app to get the flag:
TISC{1_4m_y0ur_w4llbr34k3r_!i#Leb}
Imphash (Level 09)
Almost there agent, we might have a chance to gain access into the enemy’s systems again!! We are so close.
But, it seems like they’ve developed a robust anti-malware service that’s thwarting all attempts to breach their systems!
We’ve found this import hashing plugin which is a key component of their malware analysis pipeline. Agent, can you find a way around it?
In this challenge, PALINDROME is using a radare2 plugin to output a hash of all
the imports of a binary (this is a common malware analysis technique). It takes
in a Portable Executable (PE) file and parses the imports to generate a hash.
This site was really useful to
learn about how the PE format encodes the import tables. Basically, there are 3
tables involved - a table of library entries, a table of library names, and a
table of function entries. The library entry table is the main table that is
parsed by radare2 to determine the PE’s imports. This table has several fields,
including OriginalFirstThunk and Name. OriginalFirstThunk points to the
start of a null-terminated table of function entries, where each entry is a
pointer to the name of the function (there’s another value before the name of
the function that isn’t important for our exploit). The Name field simply
points to the address of the library name. Note, however, that these addresses
are RVA addresses - their physical addresses which we can see in a hex editor
are not the same as the value we should be putting in, but offset by a certain
amount. I compiled a test PE file with a few imports to determine the fixed
offset, and from there added the offset to each of my desired entries.
(I attempted to use the python lief library to generate a PE file with
arbitrary imports, but it wasn’t working very well. There was also a C# library
that could do the same but I was too lazy to setup a C# environment just for the
challenge. In the end, I manually crafted my exploit using HxD, so I won’t have
an exploit script for this challenge, just an overview of what I did during the
CTF.)
Taking a look in IDA, we can see how this plugin works - it appends all the imports and library names into a really long string, then hashes the entire string to get a unique hash for the set of imported functions. However, we can see that the index which keeps track of the end of the string during the appending process might possibly overflow here:
if ( 4094LL - idx < (unsigned __int64)(libname_without_extension_len + name_len) ) // can possibly overflow |
Even though the remaining space left on the string is checked against the total
length of the library name and function name, the actual number of characters
appended is 2 more than the value specified, one for the dot and one for the
comma. So, if the total length of index + library_name + function_name is less
than 4094, but the actual total length is 4096, then we can overflow the index
and do a array out of bounds. With this out of bounds, we can immediately modify
name_len and libname_without_extension_len, which are used to change the
value of idx. Hence, we can almost arbitrarily control idx now.
char formatted_name_to_hash[4110]; // [rsp+182h] [rbp-109Eh] BYREF |
The maximum lengths of the function name and library name are both 255 bytes, since radare2 truncates the remaining string. We can easily circumvent this by doing manual calculations on how many such entries we need to approach the overflow value, and once we’re near enough, using a smaller entry to get the index to point outside the array.
In the appending code above, we can see that libname gets appended first before function name is appended. So, we can use libname to OOB into name_len, and then subsequently, when the program reads name_len, we can use name to control the value of idx to point to wherever we want.
After controlling idx, where should we point it to? If we scroll up to the beginning of the function, we can see this happening:
strcpy(echo, "echo "); |
So the command that generates the import hash is actually a radare2 command that is hardcoded into the binary, but placed on the stack.
During exploitation I faced an issue with encoding (0xff would be encoded to 0xc0ff in UTF-8), so my index ended up pointing somewhere else. I verified this by launching radare in GDB so I could see the exact value of the index after the overwrite.
I was too lazy to fix this properly, so after overwriting index, I just added
enough entries to increment index back to the desired value. Even though it
probably overwrote something important higher up in the stack it doesn’t matter
once we manage to replace echo with our desired flag command:
echo ; cp /app/flag.txt out; |
The whitespace is so our hash doesn’t interfere with the payload. After parsing this file, remote returns us the flag:
TISC{pwn1n6_w17h_w1nd0w5_p3} |
Diffuse (Level 10)
!!! We’ve found a weird device with a timer counting down! Ccould..it… be…a bomb….?? Your fellow agents found some access into the engineer’s machine, will you be able to find some clues and diffuse it before it’s too late?
For details on your instance, talk to @DiffuseInstanceBot on Telegram.
Note: Instances may be refreshed periodically. Remember to save your work outside of the instance!
This challenge was the most painful and guessy challenge in the CTF (yes, even more guessy than the Level 01 OSINT). I don’t think I enjoyed this challenge very much at all, especially given the last part is quite intense RE which I already dislike.
We start off in a Windows SSH machine as the diffuser user, with a lot of red
herrings left around in the desktop. There’s also a diffuse user which we
don’t have access to. After trying some commands, we might realize that there’s
a web server running on the machine on port 80. We can curl this server and
observe that it seems to be running XAMPP v8.1.25, which a quick Google search
will show that it’s vulnerable to
https://github.com/AlperenY-cs/CVE-2024-4577. We can trigger this RCE exploit
in Poowershell as such:
irm |
The XAMPP user seems to have all admin privileges, so we can change the password
of the diffuse user and SSH as that user instead. In this new desktop, we find
a few interesting files, particularly the firmware for a certain bomb device.
Reversing this firmware was really quite a pain. It uses the XTENSA architecture, which IDA doesn’t have decompilation support for, and Ghidra’s decomp for it was quite trash. In fact, for this challenge, I found dynamic reversing a lot more useful than static, but we’ll visit that later. First, we need to figure out how to actually run the firmware.
In the user’s desktop, there are also some photos of the bomb device, including the Arduino board used to run the firmware. We can see from the board that the processor is atmega328p, and we can download an IDA configuration for this processor type from here.
Annoyingly, the schematic for the bomb was hidden in another folder in
AppData/Roaming, and I only found the schematic.pdf file after looking through
almost literally everything, and stumbling on the backup history for Notepad++,
which the challenge author probably used to setup the original instance. There I
saw the setup.ps1 file which points me to the schematic.pdf file.
Because I didn’t have the schematic initially, I tried using a variety of simulation software, such as simavr and AVR Simulator, all to no avail. Why? Because my assumptions about how the bomb worked, based on the fake image of the bomb provided in the folder, were wrong. I even tried to replicate the wiring of the bomb using eye power and the image, but nothing was showing up on the simulated LCD. Frustrated, I decided to take a break and wait for Gerrard to solve the challenge first, while I went to do my ever-growing pile of long-overdue schoolwork.
After Gerrard solved this challenge, I came back to take another look at the
windows VM provided, and finally found the schematic.pdf file. This schematic
was completely different from the provided image:
- The LCD display was completely different - in the image, it was a Hitachi HD44780 LCD, the most common LCD display on the market. However, the schematic suggested the LCD used was wokwi-lcd1602-i2c - not only is the LCD chip different (PCF8574T rather than HD44780), the protocol used is also different (I2C instead of standard).
- The image showed that the bomb had 2 input buttons - but in the schematic, the bomb is connected to a keypad instead.
- The image didn’t have the 7segment component, while the schematic had it.
Not only that, the PDF had a hidden page - on the second page was the secret key which we were meant to embed in the chip. The only hint towards this was the “Page 1 of 2” on the bottom of the PDF - such a small hint for a crucial detail.
(After solving the challenge, I realized that the A0/A1 pins also have a small “rng” label on it - apparently this was supposed to inform participants that we were supposed to connect a component here to control a certain RNG value, which we’ll look into later.)
Enough ranting - at least this meant I was actually making some progress. As the schematic components were labelled according to their IDs in the Wokwi simulation software, it was really useful for solving the last part of this challenge.
After setting up the wiring of the device as shown in the schematic, it was finally time to run the bomb firmware. On uploading the firmware and running it, we see some output from the LCD screen. However, entering the bomb code which we found in the firmware - 39AB41D072C - doesn’t defuse the bomb, but complains about a wrong decryption key. This is where the chip in the schematic comes in. Unfortunately, there was no indication as to what we were meant to do with the chip, other than that it should provide the decryption key. To make things worse, the Arduino would send a certain output to the chip to initialize the UART connection and poll to receive characters, which misled me into thinking we were supposed to do something with the received string. The most unlucky of all - the received string, when XORed against the entire decryption key found in the PDF, gives a string comprising of entirely printable characters, which made me think I was on the right track. Unfortunately, I was getting further from the solution.
At the same time, I started doing some dynamic analysis on the firmware. The XTENSA architecture was quite interesting - it had 32 8-bit registers, yet it operated on 16-bit values, so 1 value is usually represented by 2 registers. This is especially true for the X, Y, and Z registers, aliases for r27:r28, r29:r30, and r31:r32 respectively. In addition, the writable regions are stored completely separately from the code region (something called the Harvard architecture), so a memory address such as 0x37a can’t be properly resolved in IDA, since it also corresponds to a code address. GDB, which is based on von Neumann architectures, addresses this issue by offsetting the RAM region by a fixed offset 0x800000, and resolving the references to these addresses accordingly, so we need to add this value to the addresses we see in the disassembly if we wish to view it in GDB.
I soon figured that at some point between inputting the code and printing the error message, certain strings, including my decryption key, were being XORed against a single byte key. By setting this value to 0x00 and then checking the unchanged input strings, I found that the key 0xe8 would actually decrypt the last string to TISC{ - and then the decryption afterwards fails. I spent another painful day tracing this value all the way from its source - an instruction that reads a 16-bit value from the ADC register. This register, apparently, is controlled by the A0/A1 pins on the Arduino, The series of operations performed on the value obtained from this register is quite complex in assembly, but less so in Python:
def cool_func(val): |
This script will generate some possible values of the ADC register that will result in a decryption key of 0xe8. After running this script, we notice a few values like 1, 256 etc will work. Following this, I tried a few combinations of output from the chip with the secret key - sending back the string we received, XORing each respective byte of the received string and the secret key, and finally sending just the secret key - which worked perfectly. The LCD then tells us that the flag is found in the I2C bus. Looking at where I first saw the flag format, I realized the flag was no longer there. At this point, it was 3am and I was really tired of this challenge, so I just searched through memory for the flag format and found the flag at 0x80034d.
TISC{h3y_Lo0k_1_m4d3_My_0wn_h4rdw4r3_t0k3n!} |
Sandboxed Notes App (Level 11)
All thanks to you agent, we are now safe from that bomb threat, and we’re also in their systems now!
We’ve gained access to a server used to store notes by the enemy. It looks to be designed by a rookie, so it can’t be that hard to find an entry. Unfortunately, it seems that they are one step ahead of us, and deployed a cutting edge sandbox by Microsoft around the notes app. Can you break through it and give us more clues on who is behind all of these attacks?
This challenge was a really interesting sandbox escape challenge - when I’m free after my exams, I’ll go into more detail for the writeup.
Reading the source for the sandbox, it seems that there are 3 different heap allocators in use.
- Regular malloc - this is used by the parent as per normal, such as for the feedback chunk
- snmalloc page allocator - this is the large object allocator used by the parent to allocate memory regions for the child’s heap
- snmalloc small object allocator - this is used by the child
We need to start from the bottom and work our way up, to exploit the regular malloc and get RCE.
Debugging this challenge was slightly difficult because of the forked process -
if we wish to debug the parent, we should attach at the very start using
gdb.debug; otherwise, we should gdb.attach after the desired child process
has been spawned. Every time we exit the inner loop, the child process will be
killed, so our debugging session won’t remain active. Therefore, we need to
attach at the right child process to prevent this from happening. Now, let’s
get to the exploit!
The first vulnerability is easy to spot - there is use after free on the deleted
notes since the array entry isn’t cleared. We can even edit the freed chunk from
edit_note. In GDB, we can see that the chunks hold the metadata for the next
chunk to be loaded into the allocator. However, the allocator is LIFO, and so
overwriting the metadata of a currently freed chunk doesn’t do anything until
the allocator runs out of free chunks, and wraps around to our previously freed
chunks.
We can do a simple heap feng shui to align our heap such that new allocations of
content chunks will fall onto the previously allocated and freed note
chunks. This way, we can arbitrarily control the note struct as shown:
struct note { |
Firstly, we should want to leak some heap values from the sandboxed process. We
can increase the size to view more cool stuff when calling printfn.
Secondly, we want a libc leak. We can change the contents pointer to point to
known regions such as the GOT, and read the addresses of the resolved functions
to leak libc.
Thirdly, we want a libsandboxed.so leak as well, which we can leak from custom
overrides for functions like malloc.
Fourthly, since we have libc leak, we can overwrite the entry of a more
insignificant function like malloc, and set it to call a function of our choice.
A good target to call is try_alloc and try_dealloc, which we can use to
pivot from from the small allocator to the large one.
In the large allocator, we see that metadata is now stored on the parent, so we
can’t edit it. However, with try_alloc, we can allocate arbitrary of
large-size objects, which we may be able to exploit. These objects are passed
through a delete somewhere in the code, and we can follow the patched code to
see the conditions for a page’s metadata be freed, following which we can pass
in arbitrary pointers to free. I’ll go into more detail about this soon.
After getting arbitrary free, I didn’t have a very good structure to UAF, so I just freed the feedback struct. On creating another sandbox, a lot of chunks will be allocated. Doing some heap feng shui, we can make sure that the object which allocates into our feedback chunk has a pointer that points to some region before our feedback chunk. That way, we can overwrite the pointer once to get 1 arbitrary write.
However, it turns out that the chunk which is allocated into the feedback chunk is some strange struct that has a pointer 0xa00 bytes before our feedback chunk. If we were to spam null bytes into the extremely large region between the two, the program would most definitely crash when trying to use the heap again later on by freeing stuff. So, we need to first leak the values, then replace all the values verbatim up to the feedback pointer, which we set to our arbitrary write location. In fact, even after doing this, I still struggled with exiting normally via the interface, because the heap was already corrupted when we created fake chunks for the heap feng shui to control what struct was allocated into our feedback chunk. We’ll deal with this later, since this means our final exploit needs to exit abnormally instead of through the provided interface.
In this case, I want to do a House of Apple, but I still lack a libc leak in the
parent. This means I actually need to overwrite the feedback pointer twice -
once to leak libc, and once to overwrite the stderr file struct (there aren’t
any unsorted chunks within the leaked region). Since our primitive right now
only allows for 1 arbitrary write, we need to be clever with this to work around
this limitation. In the end, I decided to set the feedback content pointer to
the write GOT entry so we can leak it, then overwrite it to exit. Then, since
the GOT is above the global pointer to the feedback chunk, we can also overwrite
this, and fake another feedback chunk in the same region to initiate our second
arbitrary write. This time, we will overwrite stderr with the required House of
Apple values to get RCE and our flag!
Sorry if this writeup was a bit incoherent - I’m really sleepy right now and rushing out the writeup for the submission which I’m late for already, so it’s a complete mess. I’ll clean it up when I have the time to. Here’s my final exploit script:
#!/usr/bin/env python3 |
Revenge of the Dragon (Level 12) - Upsolve
All your investigations have led you to this place: a desolate hut, abandoned and hidden deep within the forest.
As you push open the creaking door, the musty air hints at recent activity. Scattered belongings and half-burnt logs in the fireplace suggest someone left in a hurry.
In the dim light, you spot a flickering screen on a dusty table — a computer, still running. On the display, a game title flashes ominously: “Revenge of the Dragon.”
We know this is it. If we solve this we solve it all – can you break in and find out who is behind these attacks?
TBD
TLDR I had local exploit working, but it didn’t work on remote for a number of reasons. Still my 2nd favourite chall after Level 11 tho!