CrossCTF 2017

Last week, I took part in the qualifier round CrossCTF organized by NUS Greyhats and SMU Whitehat Society.

It was a really great experience for me, as it is the first local high school CTF that I took part in, after PicoCTF and PACTF.

At the first 4 hours, we managed to get the highest score alongside with a few other teams from other institutions. But it was midnight, so maybe most people are sleeping and decide to attempt the challenges in the morning.

After having a nice sleep, we continued attempting the challenges. However, there was not much progress as one of our teammates were busy and we were also stuck.

On Day 2, we see that the top teams are already almost 100 points ahead of us, and more challenges were released. We quickly solved the easy ones to catch up on ranking, and got back into the game.

Time passed pretty fast, and it was already dinner time, with around 5 hours left in the competition. We aimed to at least solve all the easy challenges in this short remaining period of time.

At the last hour, we managed to solve a pwn categorized challenge, and managed to move up to the top of the scoreboard. Man it felt so good when we see the shell opened for us.

At this point, we know based on our abilities we will not be able to solve any of the remaining reversing/pwn challenges. Our best bet is on a cryptography challenge. Unfortunately, we were working on the complete different direction and did not manage to crack it.

In the end, it was a really great experience and we managed to qualify for the on-site finals, which is an Attack-Defense (AD) CTF.

Writeups

Cryptography

CrossCTF – Paricle Collision Challenge – 5 points

Problem

Our large hadron collider feeds off files that produces the same SHA1 hashsum value. Could you help us power up our collider? We will give you a flag in return! Our collider can be found at http://128.199.98.78:8081/

Screenshot

sha1collision

Solution

Recently, a team from Google published a paper on how SHA1 is no longer secure, and collisions can be easily generated.

First, we tried using the example PDF files from here. But we got this message.

sha1collisionseen

I guess it’s not as simple as just downloading files from a website, or another team has submitted these files. After doing some research on Google, we found this tool.

By choosing 2 random images we found, we easily generated our PDF files with the same SHA1 hashsum value.

sha1flag.png

 

 

Dota 2 – Playing as Position 4

Other than doing programming and CTF challenges, I also enjoy playing Dota 2. For non-dota-2 players reading this, please don’t leave, I assure you it will be a good read.

Role

A position 4 player is rather different from other positions. This player does not stay in a lane, so where does the player go? Sometimes the player farms in the jungle, sometimes the player roams, but the most important part is, the position 4 is responsible of performing ganks (something like an ambush attack) to the 3 lanes in the game, in order to give an advantage to the teammates.

A successful position 4 player will hugely improve its teammates’ gameplay, at the same time putting a wall to the enemy’s momentum.

I’ve only changed to playing as a position 4 lately. Before that, I’ve often played as a position 5 support, which is the poorest player in the team, fully responsible of buying support items like wards… even worse, sacrificing my life if it’s necessary to keep the carries alive.

But recently, I watched a number of professional games, and got interested in playing as position 4, and the outcomes have been way better than my position 5 games.

Why play support?

In Dota 2, not a lot of people like to pick up the support role. Why, for those not playing Dota may ask?

The support role is not that fun, you don’t get nice numbers on the scoreboard, gold per minute (GPM), experience per minute (XPM), net worth, kills/deaths/assists (KDA), you will most likely be at the bottom of the chart for any of these number, the only number that looks good will be “gold spent on support items”, but I guess no one is really enthusiastic about that.

We’re just getting started… Being a support means you dedicate your gold onto support items, meaning no fancy items to boost your damage or disable your enemies (unless your team is winning very badly). Being a support means you get scolded if your teammates die because you are not there for them or you did not plant a ward to provide them with ample vision (even though you know you did). Besides, being a support to most people is boring, as it is not very “action-packed”, for reasons like not getting kills in a fight, etc…

If it’s that bad, why do I play as a support?

Firstly, it is precisely due to the reason that no one likes to play support. A team without supports will most likely lose the game due to multiple factors, some of them being, no wards, 5 people fighting for limited farm in the game, and such factors will not only put the team in a large disadvantage, but will also affect the players psychologically as they die and die due to lack of vision, or being underfarmed. To prevent such things from happening, I’ll play support if no one wants to.

Also, I do not care too much about the numbers, as long as my team wins, as my role, as mentioned earlier, is to make sure my carries are protected and get all the farm they need to win us the game.

Experience as a Position 5

Playing as a position 5 does not mean you only place wards, but most of the time, the position 5 will be the captain of the team. In almost every professional team, the captain is the position 5 player. This is simply because the other roles have to worry about things like kills, last hits, etc, and do not have the time to care about the overview of the game.

The support however, will worry less about these things, and spend more effort in evaluating the state of the game, and to make decisions such as whether to take Roshan, to push the lane, or to take teamfights. Since in most games, my teammates although are already way stronger than the enemy team, they still walk around in circles, farm in the jungle, or walk alone into the enemy and feed, as there is no coordination in the team on what to do, there is a really important need of a player telling everyone else what to do (in a polite manner of course).

As a support, I find it very important as I make decisions throughout the game and communicate (hopefully) with my team on what should we do, and another important thing, keep all team members positive, as once somebody gets frustrated, it becomes very problematic.

However, if the carries are bad at the game, there is little to zero hope of a position 5 support trying to win the game, as the player will be severely underfarmed as compared to the carries. This is rather different for a position 4, as a position 4 support will be involved in most kills, and neglecting the need to buy wards if unnecessary, hence still getting the gold and experience the hero needs.

Transitioning into Position 4

Recently, I have watched a number of professional games and got interested into playing as position 4. What interests me is their ability to spot bad positioning by the enemy heroes, and perform beautiful ganks to punish those small mistakes, to give their team an early advantage. Most of the time, these position 4 players choose heroes like Earth Spirit, Monkey King and Riki, and indeed, these are the heroes I play recently.

Ever since I played as a position 4, I find myself being more map-aware, as I constantly look out for who is in the lane in a bad position, or who might be in the jungle for me to ambush. Also, in most games I played, in the first 20 minutes of the game, 90% of the kills by my team will be associated to me, and that is a really good sense of achievement. Sometimes, I even become so annoying to the enemy that they rage quit the game, and I that’s something I’m really proud about. :p

I guess for now as I really enjoy playing this role, I’ll be playing this role for at least a few months, until I find something else that interests me. Also, since the new 7.00 patch by Valve, I have not really done my research on the timings for stacking and pulling jungle camps, so maybe I’ll take a break from playing position 5 for now.

Final words

This post may be quite long, as I try to explain the mechanics of the game to non Dota 2 players. Maybe my next post will be much shorter than this. Still, I hope you enjoyed this post.

Not a good idea to share RingZer0 Online CTF writeups here

A few hours after posting my first RingZer0 CTF writeup, I think it may not be a good idea to do so. Even though they did not say it, I remember most wargames try to stop people from sharing writeups online, so I realized I should not be sharing my writeups here, as it will prevent the users from attempting the challenge themselves. Not even hints, because RingZer0 already allows you to buy hints from them.

From now on, I’ll be posting writeups on past CTF competitions instead.

Bye.

 

RingZer0 CTF – Time to learn x86 ASM & gdb

My writeups for now will be mainly on the CTFs on the RingZer0 Team Online CTF, but I will also do writeups for CTFs I join. If you have not heard of RingZer0, head to their site and create your account.

The challenge can be found here, and we can download a binary file from the question.

What does the binary do?

First, let’s run the given binary.

challenge11-binary-output

No flag is given. Where is the flag? Probably it is created in the program but not been printed out.

Disassemble the binary

Now, let’s open the program in GDB.

challenge11-disas-1Disassembling the binary, the first 2 functions called are malloc and memset. We can see malloc is called to initialize an array of size 24, while memset is afterwards called to initialize the array with zeroes.

From this, it is very likely that a string of size 24 is being created here.

challenge11-disas-2

After malloc and memset, other than calling puts on the strings “Loading…” and “Where is the flag?”, we see that the program just does a bunch of string operations to the string.

So, let’s follow the instructions and try to work out the flag!

Nah, ain’t nobody got time for that. Why don’t we just get the address of the string and print the flag out at the end of the program?

Get the address of the string

Set a breakpoint before malloc is called, then run the program and print the value of eax, to get the address of the array.

challenge11-disas-3

Here, we find that the address of the array is 0x0804b008

Get the flag!

challenge11-string-address

Let’s choose somewhere near the end of the program to set a breakpoint, so that we can get the contents of the flag.

0x08048544 looks fine, there seems to be no more operations to the string at this point.

challenge11-flag

We create a breakpoint at 0x08048544, continue the program where we left off earlier, then examine the contents as a string inside the address we previously obtained.

And we get the flag, FLAG-4092849uio2jfklsj4kl