PETIR CYBER SECURITY – Page 2 – Tim kompetisi Capture The Flag (CTF) Universitas Bina Nusantara, yang merupakan tempat untuk belajar lebih dalam tentang Cyber Security secara intensif dan kompetitif.

October 19, 2019October 31, 2019

[PicoCTF 2019] – NewOverflow2

Posted in Binary Exploitation by ArkAngels Leave a Comment

Diberikan sebuah binary dengan konfigurasi sebagai berikut: Berikut adalah list fungsi yang ada dalam binary: Jika kita lihat isi fungsi win_fn akan terlihat sebagai berikut:

int win_fn()
{
  int result; // eax@6
  char s; // [sp+0h] [bp-40h]@4
  FILE *stream; // [sp+38h] [bp-8h]@1

  stream = fopen("flag.txt", "r");
  if ( !stream )
  {
    puts("'flag.txt' missing in the current directory!");
    exit(0);
  }
  fgets(&s, 48, stream);
  if ( win1 && win2 )
    result = printf("%s", &s);
  else
    result = puts("Nope, not quite...");
  return result;
}

int win_fn()

{

int result; // eax@6

char s; // [sp+0h] [bp-40h]@4

FILE *stream; // [sp+38h] [bp-8h]@1

stream = fopen("flag.txt", "r");

if ( !stream )

{

puts("'flag.txt' missing in the current directory!");

exit(0);

}

fgets(&s, 48, stream);

if ( win1 && win2 )

result = printf("%s", &s);

else

result = puts("Nope, not quite...");

return result;

}

Untuk bisa mendapatkan flag, kita harus membuat fungsi win_fn1 dan win_fn2 menjadi true. Berikut isi dari kedua fungsi tersebut:

void __fastcall win_fn1(int a1)
{
  if ( a1 == 0xDEADBEEF )
    win1 = 1;
}

void __fastcall win_fn1(int a1)

{

if ( a1 == 0xDEADBEEF )

win1 = 1;

}

__int64 __fastcall win_fn2(int a1, int a2, int a3)
{
  __int64 result; // rax@1

  result = (unsigned __int8)win1;
  if ( win1 && a1 == 0xBAADCAFE && a2 == 0xCAFEBABE && a3 == 0xABADBABE )
    win2 = 1;
  return result;
}

__int64 __fastcall win_fn2(int a1, int a2, int a3)

{

__int64 result; // rax@1

result = (unsigned __int8)win1;

if ( win1 && a1 == 0xBAADCAFE && a2 == 0xCAFEBABE && a3 == 0xABADBABE )

win2 = 1;

return result;

}

Disini terlihat bahwa untuk membuat value dari win1 […]

October 17, 2019October 31, 2019

[PicoCTF 2019] – Irish Name Repo 1-3

Posted in Web Exploitation by Bryan Lee Leave a Comment

Irish Name Repo 1 Link : https://2019shell1.picoctf.com/problem/32241/ Penulis mengetahui dari sebelumnya bahwa Irish Name Repo merupakan challenge SQL karena penulis kebetulan mengerjakan picoCTF2018. Oleh sebab itu penulis langsung menuju ke login page dari website tersebut. Terdapat sebuah login page untuk mengisi username dan password, mari kita coba payload yang paling basic yaitu

'OR 1=1-- -

1	'OR 1=1-- -

Flag = picoCTF{s0m3_SQL_0397f20c} Irish […]

October 6, 2019October 11, 2019

Protected: Cracking cracked IDA Pro 7 for macOS

Posted in Misc, Reverse Engineering by Anthony Viriya

There is no excerpt because this is a protected post.

October 5, 2019

[Overthewire] – Natas13

Posted in Web Exploitation by Bryan Lee Leave a Comment

Link : http://natas13.natas.labs.overthewire.org/ Password : jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY Pertama diberikan sebuah tampilan Nampaknya web ini hanya menerima file JPEG dan dapat diketahui ada mekanisme pertahanan untuk memastikan file yang di upload merupakan sebuah image file. Mari kita lihat source code yang disediakan

 <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas13", "pass": "<censored>" };</script></head>
<body>
<h1>natas13</h1>
<div id="content">
For security reasons, we now only accept image files!<br/><br/>

<? 

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);
    
    $err=$_FILES['uploadedfile']['error'];
    if($err){
        if($err === 2){
            echo "The uploaded file exceeds MAX_FILE_SIZE";
        } else{
            echo "Something went wrong :/";
        }
    } else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

<form enctype="multipart/form-data" action="index.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>

<head>

<body>

<h1>natas13</h1>

For security reasons, we now only accept image files!<br/><br/>

function genRandomString() {

$length = 10;

$characters = "0123456789abcdefghijklmnopqrstuvwxyz";

$string = "";

for ($p = 0; $p < $length; $p++) {

$string .= $characters[mt_rand(0, strlen($characters)-1)];

}

return $string;

}

function makeRandomPath($dir, $ext) {

do {

$path = $dir."/".genRandomString().".".$ext;

} while(file_exists($path));

return $path;

}

function makeRandomPathFromFilename($dir, $fn) {

$ext = pathinfo($fn, PATHINFO_EXTENSION);

return makeRandomPath($dir, $ext);

}

if(array_key_exists("filename", $_POST)) {

$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

$err=$_FILES['uploadedfile']['error'];

if($err){

if($err === 2){

echo "The uploaded file exceeds MAX_FILE_SIZE";

} else{

echo "Something went wrong :/";

}

} else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {

echo "File is too big";

} else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {

echo "File is not an image";

} else {

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";

} else{

echo "There was an error uploading the file, please try again!";

}

} else {

Choose a JPEG to upload (max 1KB):<br/>

</form>

<? } ?>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

</div>

</body>

</html>

Terdapat sebuah variabel target_path yang menyimpan function bercabang makeRandomPathFromFilename dan makeRandomPath Function makeRandomPathFromFilename akan melakukan pengecekan […]

October 5, 2019

[RingZer0] – Security through obscurity!

Posted in Web Exploitation by Angeline Leave a Comment

Link soal: https://ringzer0ctf.com/challenges/45/ Diberikan soal sebagai berikut Hal yang pertama kita lakukan adalah mencoba untuk mencari-cari sesuatu di inspect element Setelah beberapa waktu kita melihat-lihat, kita menemukan keanehan pada bagian cookie Pada cookie, terdapat tulisan AUTH (authentication), lalu kita pun melihat value dari AUTH tersebut Setelah kita lihat value dari AUTH “Z3Vlc3QsN2M2MjEyYzdjZmQ5YjRkYiwxNTY5ODYzOTU1LGZhbHNlOjZhYzk1ZjViNDM4Yzk3Y2I5NzcxM2NhNTM4NjJiN2I4” Kita bisa lihat […]

October 5, 2019

[CSAW CTF Qualification Round 2019] – Beleaf

Posted in Reverse Engineering by DZ Leave a Comment

Langkah awal yaitu check file dengan file “filename” (rev type) / pwn checksec ” filename”(pwn type) Setelah itu , kita buka ida untuk melihat keseluruhan function pada file “beleaf”. Ini adalah seluruh function yang terdapat pada file beleaf. Dan saya mendapat 2 funcion menarik pada file beleaf. pertama adalah : main function kedua : […]

September 29, 2019

[Overthewire] – Natas12

Posted in Web Exploitation by Bryan Lee Leave a Comment

Link : http://natas12.natas.labs.overthewire.org/ Username : natas12 Password : EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 Pertama diberikan sebuah tampilan Nampaknya kita bisa melakukan upload sebuah file JPEG yang maksimum hanya berukuran 1KB Penulis langsung berpikir ini adalah challenge mendapatkan shell dengan unrestricted file upload, tetapi untuk lebih jelasnya mari kita membuka source code yang diberikan Source code yaitu

 <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas12", "pass": "<censored>" };</script></head>
<body>
<h1>natas12</h1>
<div id="content">
<? 

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);


        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

<form enctype="multipart/form-data" action="index.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>

<head>

<body>

<h1>natas12</h1>

function genRandomString() {

$length = 10;

$characters = "0123456789abcdefghijklmnopqrstuvwxyz";

$string = "";

for ($p = 0; $p < $length; $p++) {

$string .= $characters[mt_rand(0, strlen($characters)-1)];

}

return $string;

}

function makeRandomPath($dir, $ext) {

do {

$path = $dir."/".genRandomString().".".$ext;

} while(file_exists($path));

return $path;

}

function makeRandomPathFromFilename($dir, $fn) {

$ext = pathinfo($fn, PATHINFO_EXTENSION);

return makeRandomPath($dir, $ext);

}

if(array_key_exists("filename", $_POST)) {

$target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {

echo "File is too big";

} else {

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";

} else{

echo "There was an error uploading the file, please try again!";

}

} else {

Choose a JPEG to upload (max 1KB):<br/>

</form>

<? } ?>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

</div>

</body>

</html>

Mari kita telaah alur […]

September 29, 2019

[Petir Challenge] – babyphp

Posted in Web Exploitation by Nano.Class Leave a Comment

Pada soal ini diberikan sebuah web yang memberikan source codenya. Terlihat pada soal menerima beberapa input yaitu “kunci1” dan “kunci2” dengan method GET. Soal terdiri dari beberapa pengecekan( Validasi ). Validasi pertama adalah mengecek, apakah salah satu dari syarat benar ( menggunakan OR ). apakah angka dari variable $k1 sama dengan $hoho ( 1337 […]

September 25, 2019October 19, 2019

[PicoCTF 2018] – ropchain

Posted in Binary Exploitation by ArkAngels Leave a Comment

Untuk soal ini, kita diberikan sebuah file binary dan source code C.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>

#define BUFSIZE 16

bool win1 = false;
bool win2 = false;


void win_function1() {
  win1 = true;
}

void win_function2(unsigned int arg_check1) {
  if (win1 && arg_check1 == 0xBAAAAAAD) {
    win2 = true;
  }
  else if (win1) {
    printf("Wrong Argument. Try Again.\n");
  }
  else {
    printf("Nope. Try a little bit harder.\n");
  }
}

void flag(unsigned int arg_check2) {
  char flag[48];
  FILE *file;
  file = fopen("flag.txt", "r");
  if (file == NULL) {
    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
    exit(0);
  }

  fgets(flag, sizeof(flag), file);
  
  if (win1 && win2 && arg_check2 == 0xDEADBAAD) {
    printf("%s", flag);
    return;
  }
  else if (win1 && win2) {
    printf("Incorrect Argument. Remember, you can call other functions in between each win function!\n");
  }
  else if (win1 || win2) {
    printf("Nice Try! You're Getting There!\n");
  }
  else {
    printf("You won't get the flag that easy..\n");
  }
}

void vuln() {
  char buf[16];
  printf("Enter your input> ");
  return gets(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  vuln();
}

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

#include <sys/types.h>

#include <stdbool.h>

#define BUFSIZE 16

bool win1 = false;

bool win2 = false;

void win_function1() {

win1 = true;

}

void win_function2(unsigned int arg_check1) {

if (win1 && arg_check1 == 0xBAAAAAAD) {

win2 = true;

}

else if (win1) {

printf("Wrong Argument. Try Again.\n");

}

else {

printf("Nope. Try a little bit harder.\n");

}

void flag(unsigned int arg_check2) {

char flag[48];

FILE *file;

file = fopen("flag.txt", "r");

if (file == NULL) {

printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");

exit(0);

}

fgets(flag, sizeof(flag), file);

if (win1 && win2 && arg_check2 == 0xDEADBAAD) {

printf("%s", flag);

return;

}

else if (win1 && win2) {

printf("Incorrect Argument. Remember, you can call other functions in between each win function!\n");

}

else if (win1 || win2) {

printf("Nice Try! You're Getting There!\n");

}

else {

printf("You won't get the flag that easy..\n");

}

void vuln() {

char buf[16];

printf("Enter your input> ");

return gets(buf);

}

int main(int argc, char **argv){

setvbuf(stdout, NULL, _IONBF, 0);

// Set the gid to the effective gid

// this prevents /bin/sh from dropping the privileges

gid_t gid = getegid();

setresgid(gid, gid, gid);

vuln();

}

Untuk konfigurasi file binary masih sama seperti writeup ini. Dilihat dari source code C yang kita dapat, kita harus mendapatkan value true pada fungsi win1 dan win2 untuk bisa mendapatkan flag yang terdapat pada fungsi flag. Tapi permasalahannya ketiga fungsi tersebut tidak […]

September 25, 2019

[Overthewire] – Natas11

Posted in Web Exploitation by Bryan Lee 2 Comments

Link : http://natas11.natas.labs.overthewire.org/ Username : natas11 Password : U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK Pertama kita diberikan sebuah tampilan Kelihatannya kita bisa mengubah warna background dengan memasukkan kode warna di kolom input seperti Baik mari kita langsung cek source codenya

 <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas11", "pass": "<censored>" };</script></head>
<?

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {
    $key = '<censored>';
    $text = $in;
    $outText = '';

    // Iterate through each character
    for($i=0;$i<strlen($text);$i++) {
    $outText .= $text[$i] ^ $key[$i % strlen($key)];
    }

    return $outText;
}

function loadData($def) {
    global $_COOKIE;
    $mydata = $def;
    if(array_key_exists("data", $_COOKIE)) {
    $tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);
    if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {
        if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {
        $mydata['showpassword'] = $tempdata['showpassword'];
        $mydata['bgcolor'] = $tempdata['bgcolor'];
        }
    }
    }
    return $mydata;
}

function saveData($d) {
    setcookie("data", base64_encode(xor_encrypt(json_encode($d))));
}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {
    if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {
        $data['bgcolor'] = $_REQUEST['bgcolor'];
    }
}

saveData($data);



?>

<h1>natas11</h1>
<div id="content">
<body style="background: <?=$data['bgcolor']?>;">
Cookies are protected with XOR encryption<br/><br/>

<?
if($data["showpassword"] == "yes") {
    print "The password for natas12 is <censored><br>";
}

?>

<form>
Background color: <input name=bgcolor value="<?=$data['bgcolor']?>">
<input type=submit value="Set color">
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>

<head>

$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");

function xor_encrypt($in) {

$key = '<censored>';

$text = $in;

$outText = '';

// Iterate through each character

for($i=0;$i<strlen($text);$i++) {

$outText .= $text[$i] ^ $key[$i % strlen($key)];

}

return $outText;

}

function loadData($def) {

global $_COOKIE;

$mydata = $def;

if(array_key_exists("data", $_COOKIE)) {

$tempdata = json_decode(xor_encrypt(base64_decode($_COOKIE["data"])), true);

if(is_array($tempdata) && array_key_exists("showpassword", $tempdata) && array_key_exists("bgcolor", $tempdata)) {

if (preg_match('/^#(?:[a-f\d]{6})$/i', $tempdata['bgcolor'])) {

$mydata['showpassword'] = $tempdata['showpassword'];

$mydata['bgcolor'] = $tempdata['bgcolor'];

}

return $mydata;

}

function saveData($d) {

setcookie("data", base64_encode(xor_encrypt(json_encode($d))));

}

$data = loadData($defaultdata);

if(array_key_exists("bgcolor",$_REQUEST)) {

if (preg_match('/^#(?:[a-f\d]{6})$/i', $_REQUEST['bgcolor'])) {

$data['bgcolor'] = $_REQUEST['bgcolor'];

}

saveData($data);

<h1>natas11</h1>

Cookies are protected with XOR encryption<br/><br/>

if($data["showpassword"] == "yes") {

print "The password for natas12 is <censored><br>";

}

<form>

Background color: <input name=bgcolor value="<?=$data['bgcolor']?>">

</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

</div>

</body>

</html>

Mari kita perhatikan bagian bagian yang mengandung code php saja, nampaknya kita bisa mendapatkan password untuk natas12 jika kita berhasil mengganti […]