[writeup] add heroctf 2021 (part)

Author: onealmond

README.md

@@ -3,6 +3,15 @@
 
 ### Reverse Engineering
 
+- _HeroCTF 2021_
+	- [Kernel Module #3](heroctf-2021/kernel-module-3/writeup.md)
+	- [Kernel Module #2](heroctf-2021/kernel-module-2/writeup.md)
+	- [Kernel Module #1](heroctf-2021/kernel-module-1/writeup.md)
+	- [Win But Twisted](heroctf-2021/win-but-twisted/writeup.md)
+	- [H4XOR](heroctf-2021/h4XOR/writeup.md)
+	- [JNI](heroctf-2021/JNI/writeup.md)
+	- [sELF Control](heroctf-2021/self-control/writeup.md)
+
 - _GLSC CTF 2021_
   - [Collisions](glsc-ctf-2021/collisions/writeup.md)
   - [Scr1pt1ng](glsc-ctf-2021/scr1pt1ng/writeup.md)
@@ -55,7 +64,7 @@
   - [Slippery Shellcode](picoctf-2019/slippery-shellcode/writeup.md)
   - [Messy Malloc](picoctf-2019/messy-malloc/writeup.md)
   - [Leap Frog](picoctf-2019/leap-frog/writeup.md)
-  - [GoT](picoctf-2019/GoT/writeup.md)
+  - [GoT](picoctf-2019/got/writeup.md)
   - [Pointy](picoctf-2019/pointy/writeup.md)
   - [ROP64](picoctf-2019/rop64/shellcode.py)
   - [AfterLife](picoctf-2019/AfterLife/shellcode.py)
@@ -66,6 +75,12 @@
 
 ### Web
 
+- _HeroCTF 2021_
+	- [You Should Die](heroctf-2021/you-should-die/writeup.md)
+	- [Transfer](heroctf-2021/transfer/writeup.md)
+	- [PwnQL #2](heroctf-2021/pwnQL-2/writeup.md)
+	- [PwnQL #1](heroctf-2021/pwnQL-1/writeup.md)
+
 - _GLSC CTF 2021_
   - [MR. Roboto](glsc-ctf-2021/mr.roboto/writeup.md)
 
@@ -80,7 +95,7 @@
   - [Cereal Hacker 1](picoctf-2019/cereal-hacker1/writeup.md)
   - [Cereal Hacker 2](picoctf-2019/cereal-hacker2/writeup.md)
   - [Irish-Name-Repo 1](picoctf-2019/Irish-Name-Repo-1/writeup.md)
-  - [Empire 1](picoctf-2019/Empire1/writeup.md)
+  - [Empire 1](picoctf-2019/empire1/writeup.md)
 
 - _CTFLearn_
   - [Don't Bump Your Head(er)](ctflearn/Don'tBumpYourHeader/writeup.md)
@@ -104,10 +119,10 @@
 
 - _PicoCTF 2019_
   - [WhitePages](picoctf-2019/WhitePages/decode.py)
-  - [Mr. WorldWide](picoctf-2019/Mr-WorldWide/writeup.md)
+  - [Mr. WorldWide](picoctf-2019/mr-worldWide/writeup.md)
   - [Caesar](picoctf-2019/caesar/decode.py)
   - [ROT13](picoctf-2019/rot13/writeup.md)
-  - [The Numbers](picoctf-2019/the_numbers/writeup.md)
+  - [The Numbers](picoctf-2019/the-numbers/writeup.md)
 
 - _Hacker101 CTF_
   - [Model E1337 Rolling Code Lock](hacker101-ctf/model-e1337-rolling-code-lock/writeup.md)
@@ -119,5 +134,3 @@
   - [Shark on Wire1](picoctf-2019/shark-on-wire1/writeup.md)
   - [ASM2](picoctf-2019/asm2/writeup.md)
   - [Like1000](picoctf-2019/like1000/writeup.md)
-
-

ctflearn/5x5/decode.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+
+def init_key():
+    key = [[]]
+    i = ord('A')
+    j = 0
+
+    while i < ord('Z')+1:
+        if len(key[-1]) == 5:
+            key.append([])
+
+        key[-1].append(chr(i))
+        print(chr(i), end=' ')
+        j += 1
+        if j % 5 == 0:
+            print()
+        i+=1
+        if i == ord('K'): 
+            i+=1
+    return key
+
+def decode(key, enc):
+    parts = enc.split(',')
+    flag = ['?']*len(parts)
+
+    for i in range(len(parts)):
+        flag[i] = parts[i]
+        if not parts[i][0].isdigit():
+            continue
+        r = 0
+        c = 0
+        for a in parts[i]:
+            if a.isdigit():
+                if r == 0:
+                    r = int(a)
+                else:
+                    c = int(a)
+        f = key[int(r)-1][int(c)-1]
+        flag[i] = f
+
+    return flag
+
+enc = "1-3,4-4,2-1,{,4-4,2-3,4-5,3-2,1-2,4-3,_,4-5,3-5,}"
+key = init_key()
+flag = decode(key, enc)
+print(''.join(flag))

heroctf-2021/JNI/writeup.md

@@ -0,0 +1,71 @@
+
+Decompile *JNI.apk* with *apktool*, go direct to *fr.heroctf.jni.MainActivity* class as indicated in *AndroidManifest.xml*.
+
+```xml
+...
+<activity android:name="fr.heroctf.jni.MainActivity">
+    <intent-filter>
+        <action android:name="android.intent.action.MAIN"/>
+        <category android:name="android.intent.category.LAUNCHER"/>
+    </intent-filter>
+</activity>
+...
+```
+
+*fr.heroctf.jni.MainActivity* is defined in *smali/fr/heroctf/jni/MainActivity.smali*. *checkFlag* function quickly grabbed eyeballs. As it's a native function, we need to look for the lower-level implementation, which is in ``lib``.
+
+```java
+...
+invoke-virtual {p0, v0}, Lfr/heroctf/jni/MainActivity;->checkFlag(Ljava/lang/String;)Z
+...
+# virtual methods
+.method public native checkFlag(Ljava/lang/String;)Z
+.end method
+```
+
+There are 4 *so* for 4 architectures respectively.
+
+```bash
+lib/
+lib/x86
+lib/x86/libnative-lib.so
+lib/arm64-v8a
+lib/arm64-v8a/libnative-lib.so
+lib/armeabi-v7a
+lib/armeabi-v7a/libnative-lib.so
+lib/x86_64
+lib/x86_64/libnative-lib.so
+```
+
+I decompiled the one for *x86_64*, *lib/x86_64/libnative-lib.so*.
+
+```c
+ulong Java_fr_heroctf_jni_MainActivity_checkFlag
+                (_JNIEnv *param_1,undefined8 param_2,_jstring *param_3)
+{
+  char *input;
+  size_t len;
+  long in_FS_OFFSET;
+  byte ret;
+  uchar is_copy;
+  long canary;
+  
+  canary = *(long *)(in_FS_OFFSET + 0x28);
+  input = (char *)GetStringUTFChars(param_1,param_3,&is_copy);
+  if ((((is_copy == '\x01') && (len = strlen(input), len == 3)) && (*input == '6')) &&
+     ((input[1] == '6' && (input[2] == '6')))) {
+    ret = 1;
+  }
+  else {
+    ret = 0;
+  }
+  if (*(long *)(in_FS_OFFSET + 0x28) == canary) {
+    return (ulong)ret;
+  }
+                    /* WARNING: Subroutine does not return */
+  __stack_chk_fail();
+}
+```
+
+According to the way it check flag, it's easy to point out what the kernel is, by adding the flag prefix and suffix, the flag is ``Hero{666}``.
+

heroctf-2021/h4XOR/decrypt.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python3
+from pwn import xor
+from random import randint
+from os import urandom
+
+
+output_img = open("flag.png", "wb")
+input_img = open("flag.png.enc", "rb").read()
+
+header = b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00"
+key = [0]*9
+for i in range(9):
+    key[i] = int(input_img[i]) ^ int(header[i])
+output_img.write(xor(input_img, key))

heroctf-2021/h4XOR/writeup.md

@@ -0,0 +1,39 @@
+
+From ``xor.py`` we know it generate a random key and xor it with the image to generate a encrypted one.
+
+```python
+#!/usr/bin/env python3
+from os import urandom
+from random import randint
+from pwn import xor
+
+input_img = open("flag.png", "rb").read()
+output_img = open("flag.png.enc", "wb")
+
+key = urandom(8) + bytes([randint(0, 9)])
+output_img.write(xor(input_img, key))
+```
+
+Since the origin image is *png* format, the header is widely known. If we xor the header with the first 9 bytes of encrypted image, we are able to get the key.
+
+```python
+key = header ^ flag.png.enc[:9]
+```
+
+```python
+output_img = open("flag.png", "wb")
+input_img = open("flag.png.enc", "rb").read()
+
+header = b"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00"
+key = [0]*9
+for i in range(9):
+    key[i] = int(input_img[i]) ^ int(header[i])
+output_img.write(xor(input_img, key))
+```
+
+```bash
+$ file flag.png
+flag.png: PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
+```
+
+Open the decrypted image *flag.png* with ``ristretto``, the flag is at the bottom left, ``Hero{123_xor_321}``.

heroctf-2021/kernel-module-1/writeup.md

@@ -0,0 +1,14 @@
+
+The *cat* command on server is malfunctioning, *which* command said *cat* command is using */bin/cat*. To correct it, we remove */bin/cat*, the whole vm is built upon *busybox*, so soft link */bin/busybox* to */bin/cat*.
+
+```bash
+rm -f /bin/cat
+ln -s /bin/busybox /bin/cat
+```
+
+*cat /dev/safe* to get the flag.
+
+```bash
+cat /dev/safe
+Hero{s0_yOu_C4n_r34d_Fr0m_cHrD3v}
+```

heroctf-2021/kernel-module-2/decode_safe.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+import string
+
+expected = "OpenSesame"
+buf = ['?']*len(expected)
+
+for i in range(len(buf)):
+    for c in string.printable:
+        buf[i] = c
+
+        if ord(buf[i]) + 0xbf < 0x1a:
+            a = ord(buf[i]) - 0xd
+            if ord(buf[i]) + ord('\r') < ord('['):
+                a = ord(buf[i]) + ord('\r')
+            buf[i] = chr(a)
+        else:
+            a = -0xd
+            if ord(buf[i]) + 0xd < 0x7b:
+                a = ord('\r')
+            buf[i] = chr(ord(buf[i]) + a)
+
+        if buf[i] == expected[i]:
+            buf[i] = c
+            print(buf, end='\r')
+            break
+        buf[i] = '?'
+
+print()
+print(''.join(buf))