10. Use telnet connection to play a maze game
The whole maze map is actually a 91x91 QR code
To find the flag, we need to walk through all the
places, record them and show on the screen
By computer?
By hand?
Maze
11. maze - by hand
Why not just do by hand :D
- easy to convert into real QR code
- need to be very focus
with pictures
- can mark some routes when solving
- hard to decode for QR code reader
with words
12. Puzzle
找原圖來比較, 發現圖片內容沒差
Google
Wiki
轉向header分析,發現有JFXX*100
JFXX放的圖片截取出來
Write simple tools to make things easy
If you want to try, click this link
http://people.cs.nctu.edu.tw/~chhhsu/puzzle/
19. DIAGCGI
Core concept:
Curl : local file copy and rename
Download main perl cgi program
Check how the program identity user and
verify
We can find how they apply the session
argument
Eval() instead of parse it
Put code in that session file and get the
flag
22. 眾人合力的 polyglot
從defcon 22的polyglot開始思考
Defcon polyglot write shellcode
compatible for differnet arches
This polyglot write script compatible
for different langs
提出基本構想
讓程式碼互為註解
善用程式碼共通的語法
處理程式語言的歧異
大家瘋狂測試不同的語法
Use readfile in Haskell instead of
system.cmd
有時候換人做做看會有不同的思路
23. Polyglot
`cat flag` in Python, C, Ruby, Haskell
String is comment in Python and Ruby
Use “”” “ to distinguish Python and Ruby
string
In Ruby, everything is comment after
__END__
# is C preprocessor command and it is
single line comment in both Python and
Ruby
24. Polyglot
{- Block Comment in Haskell -}
Make {- legal in other language
x={-"""1".to_i=>"2""".count(‘1’)};
It means x = { -1 } in Python and x = { -1 =>
0 } in Ruby
Make it mean x = { -’1’ }; in C by inserting
#ifdef in it
Use readFile instead of import System.Cmd to
avoid the rule of “import must at the beginning of
code” in Haskell
31. Rsbo
發現塞了長字串會crash
Read 0x80 into buffer size 80
DEP + ASLR
Buffer is random exchange
Fill zero into buffer
Make each byte of size exchange to 0x00
Bypass Randomize
Read more input
Try to call read_80_bytes again
33. hop – reverse
Windows 64bit PE
It will print “Key:” and get input from user
Use “String Reference” to locate
important code
The most import part is function
“sub_401590”
34. hop - reverse
The program will “hop” by indirect jump to
many positions, every code section will
looks like
Note that “pop rax” is each char of input
key
Just like a “function table lookup”. If our
answer is wrong, it will return 0. Otherwise,
it will return 1.
35. hop - reverse
We first find all code sections by scanning
the binary of the binary pattern. There are
over 130 of them.
By analyzing these sections, we can find all
destination section of each section.
These sections are just like an “automata”,
which reminds me of “automata - Boston
Key Party 2014”.
Find the correct “path (key)”, which will
steps over 40 states and finally get to the
“return 1” state.
46. Finger
This is a Rock-
paper-scissors
game
It do md5 every 16
chars that you input
and sum it and
check later
If we can bypass
boss attack then it is
possible to win
If guess wrong, che
47. Finger
We don’t want to find collision XD
We just cheat when we know boss is
going to win, so boss cannot attack us
Boss win : our hp -1
Tie: both hp -0
We win: boss hp –rand(1..3)
48. Write ups (by xatierlike Lee)
http://pastebin.com/JqBFKfvu
Ey xatierlike Lee
http://ensky.logdown.com/posts/2014/08
/20/hitcon-ctf-2014-24
By ensky
http://ddaa.logdown.com/posts/221204-
hitcon-ctf-2014-pwn-150-rsbo
By ddaa