UIU CTF 2023

2023-07-04 1270 words 6 minutes

Contents

Some Misc challenges from UIU CTF 2023 🪟

Preface

A few days ago, I participated a fun CTF contest with my team and solved a few misc challenges. Although they are all easy, I still learn something from them and want to keep a note here for the future.

Corny Kernel

Note

Use our corny little driver to mess with the Linux kernel at runtime!

$ socat file:$(tty),raw,echo=0 tcp:corny-kernel.chal.uiuc.tf:1337

After connecting to the server, I noticed there was a kernel module file in gzip compressed format. The challenge also gave us the source code of this so let’s check it out.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
// SPDX-License-Identifier: GPL-2.0-only

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>

extern const char *flag1, *flag2;

static int __init pwny_init(void)
{
	pr_alert("%s\n", flag1);
	return 0;
}

static void __exit pwny_exit(void)
{
	pr_info("%s\n", flag2);
}

module_init(pwny_init);
module_exit(pwny_exit);

MODULE_AUTHOR("Nitya");
MODULE_DESCRIPTION("

**uiuctf23");
MODULE_LICENSE("GPL");
MODULE_VERSION("0.1");

Hmmmm, I guess we can just load it then unload to see the flag.

You can use insmod and rmmod to load and unload the module.

/images/writeups/uiu/kernel1.png — First part of the flag

As you can see, we have the first part of the flag. The last is in kernel log, use dmesg to see it.

/images/writeups/uiu/kernel2.png — Last part

FLAG:

uiuctf{m4ster_k3rNE1_haCk3r}

vimjail series

vimjail1

Note

Connect with socat file:$(tty),raw,echo=0 tcp:vimjail1.chal.uiuc.tf:1337. You may need to install socat.

If you connect to the server, you will get into vim environment. You can’t type anything and it’s almost impossible to get out of this.

/images/writeups/uiu/vimenv.png — Vim session

What do we do now? Let’s see the attachments. We have four files but we just need to pay attention to entry.sh and vimrc.

1
2
3
4
5
#!/usr/bin/env sh

chmod -r /flag.txt

vim -R -M -Z -u /home/user/vimrc

So they use RMZu flag in vim usage.

1
2
3
4
5
6
7
set nocompatible
set insertmode

inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\><c-n> nope

They mapped 4 combination to nope which means they will do nothing. The point is using these combination to get out of Insert mode for us to type “:” related commands.

I’ve tried many combinations and this worked for me: “<c-\><c-o>”

/images/writeups/uiu/insert1.png — Into Insert mode

We escaped!!!

You can read from here to know why we can execute commands in that mode: Link

FLAG:

uiuctf{n0_3sc4p3_f0r_y0u_8613a322d0eb0628}

vimjail2

Note

Connect with socat file:$(tty),raw,echo=0 tcp:vimjail2.chal.uiuc.tf:1337. You may need to install socat.

Same problem, different approaches.

1
2
3
4
5
#!/usr/bin/env sh

vim -R -M -Z -u /home/user/vimrc -i /home/user/viminfo

cat /flag.txt

In this challenge, we need to exit vim to see the flag.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
set nocompatible
set insertmode

inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\><c-n> nope

cnoremap a _
cnoremap b _
cnoremap c _
cnoremap d _
cnoremap e _
cnoremap f _
cnoremap g _
cnoremap h _
cnoremap i _
cnoremap j _
cnoremap k _
cnoremap l _
cnoremap m _
cnoremap n _
cnoremap o _
cnoremap p _
cnoremap r _
cnoremap s _
cnoremap t _
cnoremap u _
cnoremap v _
cnoremap w _
cnoremap x _
cnoremap y _
cnoremap z _
cnoremap ! _
cnoremap @ _
cnoremap # _
cnoremap $ _
cnoremap % _
cnoremap ^ _
cnoremap & _
cnoremap * _
cnoremap - _
cnoremap + _
cnoremap = _
cnoremap ` _
cnoremap ~ _
cnoremap { _
cnoremap } _
cnoremap [ _
cnoremap ] _
cnoremap \| _
cnoremap \ _
cnoremap ; _
cnoremap < _
cnoremap > _
cnoremap , _
cnoremap . _
cnoremap / _
cnoremap ? _

But they mapped all of the keys to “_”. Or maybe not all of the keys :D. If you notice, the “q” key and “:” key are not mapped to anything which means we can do “:q” to exit as usual.

Same method but this time we will type “:q” to exit.

Now we can type :q

Got the flag here:

FLAG:

uiuctf{<left><left><left><left>_c364201e0d86171b}

vimjail1.5

Note

Fixed unintended solve in vimjail1

Connect with socat file:$(tty),raw,echo=0 tcp:vimjail1-5.chal.uiuc.tf:1337. You may need to install socat.

LOL, they fixed the old approach 🥲

What’s different with new vimrc?

1
2
3
4
5
6
7
set nocompatible
set insertmode

inoremap <c-o> nope
inoremap <c-l> nope
inoremap <c-z> nope
inoremap <c-\> nope

They replaced <c-\><c-n> with <c-\>. Now we can not use the same method as vimjail1 anymore.

After a few hours of trying combinations. I found this document on the Internet.

Here’s the interesting part:

/images/writeups/uiu/com.png — We can use this to send our payload

Ohh, how about we send “\<c-o>” instead? Let’s try it.

/images/writeups/uiu/mode.png — Can type right now!

Now I have entered expression mode.

Into Insert mode

Successfully escaped with our payload!!

FLAG:

uiuctf{ctr1_r_1s_h4ndy_277d0fde079f49d2}

vimjail2.5

Note

Fixed unintended solve in vimjail2

Connect with socat file:$(tty),raw,echo=0 tcp:vimjail2-5.chal.uiuc.tf:1337. You may need to install socat.

Same challenge, same approach. But this time, as an improvement of vimjail2, this chal still mapped all of the keys except “q” and “:” to “_”.

So the question is: How to bypass it?

Let’s take a look back at vimrc file. It mapped the keys not the combination so we can still use “” as payload. This time we will not type it but press Ctrl-O into our input.

/images/writeups/uiu/mode2.png — Payload

And here is the result:

FLAG:

uiuctf{1_kn0w_h0w_7o_ex1t_v1m_7661892ec70e3550}

Tornado Warning

Note

“Check out this alert that I received on a weather radio. Somebody transmitted a secret message via errors in the header! Fortunately, my radio corrected the errors and recovered the original data. But can you find out what the secret message says?\n\nNote: flag is not case sensitive.”

Hint 1: The header is encoded with Specific Area Message Encoding.

Hint 2: The three buzzes are supposed to be identical, but in this challenge, they are different due to errors.

The challenge give us an audio file. If you play it, you’ll know that’s just a simple weather warning record. What are they hiding from us?

As the first hint said, the header is encoded with SAME. Google gave me this answer.

/images/writeups/uiu/term.png — Data format

Okay that’s easy, just find a tool that support extracting SAME header from the wav file then see what we got.

I found this tool:

It can be used to read and extract SAME header from wav file, that’s what we need to do!

Extracting the header:

/images/writeups/uiu/header.png — Extracted data

The flag is embed in the first three lines. If you notice, we just need to extract what’s different from the others. If the three are identical, we just need to take one.

Wrote a small script here:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
s = """
ZCZC-UXU-TFR-R18007ST_45-0910BR5-KIND3RWS-
ZCZC-WIR-TO{3018W0R+00T5-09UT115-K_EV/NWS-
ZCZC-WXRCTOR-0D_007+004OR_O1011E@KIND/N}S-
"""

str1, str2, str3 = [i for i in s.splitlines() if i != '']
tmp = []
flag = ''
for i in range(5, len(str1)-2):
    tmp.append(str1[i])
    tmp.append(str2[i])
    tmp.append(str3[i])
    tmp.sort()
    if (tmp[0] == tmp[1]):
        flag += tmp[2]
    else:
        flag += tmp[0]
    tmp = []
print(flag.lower())

FLAG:

uiuctf{3rd_w0rst_tor_outbre@k_ev3r}