This post contains a write-up of the Bluetooth Low Energy Capture the Flag (BLE CTF) as developed by hackgnar. The CTF teaches various core concepts of Bluetooth LE. A more advanced version is now available too, the BLE_CTF_INFINITY. Prerequisites After building and flashing the CTF to the target device (see the documentation for the required steps), ensure the bluetooth service is running using systemctl start bluetooth. Next verify the target device is discoverable: sudo hcitool lescan should return an entry like this: 30:AE:A4:26:2B:E6 BLECTF.
Right before the end of 2020 I completed the Holiday Hack Challenge 2020. Though it’s obviously not the first type this conference took place, it was the first time I participated. Below is my write-up of the primary objectives along with a selection of side-challenges. Objectives: Uncover Santa’s Gift List Investigate S3 Bucket Point-of-Sale Password Recovery Operate the Santavator Open HID Lock Splunk Challenge Solve the Sleigh’s CAN-D-BUS Broken Tag Generator ARP Shenanigans Defeat Fingerprint Sensor Naughty/Nice List with Blockchain Investigation (part 1, part 2) Challenges:
Whilst working on angr_ctf in order to properly dive into Angr, there was one exercise which required the use of a symbolic filesystem with SimFile backed by symbolic memory. This particular challenge requires a particular input to be present in the input file and as such act as the password. The filename can be quickly looked up in the binary; the contents however will be made symbolic so we can solve for that.
This year I participated in the Brixel CTF winter edition along with another player from the Darknet Diaries Discord community. Despite some stability issues on the server side this CTF had some fun puzzles although some more challenging puzzles would be appreciated for a future installment. Below is my write up of a few of them – I ended up solving a few more but I didn’t keep any notes on them.
ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem. Exploring the binary Not much going on with this binary: jasper@ropper:~/ropemporium/ret2csu$ checksec ret2csu [*] '/home/jasper/ropemporium/ret2csu/ret2csu' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And as expected there is no usefulFunction or usefulGadgets:
The pivot challenge creates a situation where stack space is limited. This means that our full payload cannot be stored on the stack and instead must be located elsewhere in memory. However in order to start executing the code pointed to from the new stack we have to swap stacks! This is called pivoting and let’s get started. Exploring the binary The pivot binary is linked with libpivot.so: jasper@ropper:~/ropemporium/pivot$ checksec pivot [*] '/home/jasper/ropemporium/pivot/pivot' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) RPATH: '.
Fluff was a challenge that is actually challenging, up to the point where you have a realisation and from there on it’s fairly straightforward. Exploring the binary Nothing special going on still with this binary in terms of canaries or the likes: [*] '/home/jasper/ropemporium/fluff/fluff' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And again usefulFunction() contains a reference to system(): [0x00400650]> afl 0x004005a0 3 26 sym.
The previous challenge taught a very important pattern of “the mover” by performing chunked writes of arbitrary data into memory. This next challenge deals with a illegal or bad characters. Most everyone who has written exploits before has run into them at some point. Manually searching for which bytes are considered bad can be rather time consuming so plenty of tools have incorporated automatic detection. In our case the input characters which will result in badbytes have also been provided to us to make it easier to focus on the actual exploit.
With basic knowledge of how the GOT and PLT work and how function calls go through them along with a basic understanding of the amd64 ABI calling convention we can start looking for real gadgets now. In fact in this assignment we’ll look at a really helpful way of loading arbitrary data into memory. Exploring the binary Just like before, let’s start off by exploring the binary bit to get a feel for what we’re dealing with here:
After familiarising ourselves with a simple buffer overflow in ret2win to overwrite the return address first, and then searching and using our first real gadget in split we will now focus on the Procedure Linkage Table (PLT). While here the functions that need to be called will all be using three arguments, thus exposing a little bit more of the amd64 calling convention. Exploring the binary It should be a familiar routine by now to check the binary for any compiled-in security measures, followed by looking for strings and functions.
In the previous post I tried to explain what ROP is and how I solved the ROP Emporium ret2win. This write-up will be about the second challenge: split. We’ll look at finding our first gadget and how to go about using it in a chain. Exploring the binary First explore the binary to see what we’re up against: $ rabin2 -I split | grep nx nx true $ rabin2 -z split [Strings] Num Paddr Vaddr Len Size Section Type String 000 0x000008a8 0x004008a8 21 22 (.
Over the past couple of week I’ve set myself the goal of learning how Return Oriented Programming (ROP) really works. Coincidentally, over at Hack the Box there have recently been multiple instances where one needed to exploit a binary using ROP. Whilst doing some research on the topic I ran into ROP Emporium and this has proven to be very valuable resource. This site hosts eight challenges with an increasing level of difficulty and along the way it touches upon various concepts related to ROP and binary exploitation.