Git fail fixed.

Author: akrasuski1

2016-03-06-bkpctf/re_5_Frog_Fractions_2/README.md

@@ -0,0 +1,70 @@
+## Frog Fractions 2(reversing, 5 points, 65 solves)
+	Turns out Frog Fractions 2 is not battletoads
+We're given a 64bit elf file, let's start by disassembling it and describing important points in the program.
+
+The program uses a library called libgmp to handle big numbers, it makes the debugging less friendly. 
+
+After analysing the binary come we come up with a replacement script in python:
+
+```python
+data = [] #scraped data array from binary
+primes = [] #init primes somewhere
+v11 = 1019
+line = "A sample line input" #our input
+
+def factor_print(a1):
+	v4 = a1
+	for x in range(200):
+		c = 0
+		while(v4 % primes[x] == 0):
+			v4 = v4/primes[x];
+			c = c+1
+		if(c != 0):
+			sys.stdout.write(chr(c))
+	print
+
+for i in range(len(line)):
+	v11 = v11* pow(primes[i], ord(line[i]))
+j =0
+while(j < len(data)/2):
+	v6 = data[j*2]
+	v7 = data[j*2+1]
+
+	v10 = v11*v6
+	if(v10 % v7 == 0): 
+		v11 = v10/v7
+		j = 0
+	else:
+		j = j+1
+factor_print(v11)
+```
+
+While searching through the binary we stumble into two big, interesting integers: 62834...(6955 chars) and 50209...(8423 chars).
+
+What's interesting about them is that if we run them through our `factor_print` function we get the 2 messages available:
+
+`Nope!  You need to practice your fractions!`
+
+`Congratulations!  Treat yourself to some durians!`
+
+So we need to find a line that reproduces the second output message, we do that by reversing the function:
+
+```python
+def crack(v11):
+	j = 0
+	while(j < len(data)/2):
+		v7 = data[j*2]
+		v6 = data[j*2+1]
+
+		v10 = v11*v6
+		if(v10 % v7 == 0): 
+			v11 = v10/v7
+			j = 0
+		else:
+			j = j+1
+	factor_print(v11)
+```
+
+Which gives us the desired output: `KEY{(By the way, this challenge would be much easier with a cybernetic frog brain)}`
+
+The full source is available [here](https://gist.github.com/nazywam/0634494b4b1c0ffd46a3)

2016-03-06-bkpctf/web_3_Good_Morning/README.md

@@ -0,0 +1,26 @@
+## Good Morning (web, 3 points, 110 solves)
+	http://52.86.232.163:32800/  https://s3.amazonaws.com/bostonkeyparty/2016/bffb53340f566aef7c4169d6b74bbe01be56ad18.tgz
+
+In this task we were given a source of web survey. It used MySQL in backend to store our answers. The script
+was not using prepared statements, so we quickly came to conclusion that there has to be a SQL injection possible.
+Unfortunately, our input was escaped before passing to MySQL library. However, they use their home-made escaping function
+instead of properly tested official ones. 
+
+Because the site was in Japanese, they used Shift-JIS character encoding. One of the oddities conencted to this encoding
+is that it changes position of backslash - 0x5C, which is ASCII backslash, in SJIS means yen. The websocket and Python script
+itself (including escaping function) use Unicode, so we can send `[yen]" stuff`, which will be converted by escaping function
+to `[yen]\" stuff`, and then converted to SJIS `0x5C\" stuff`. Since 0x5C is equivalent to backslash, that means our input will
+be interpreted as one escaped backslash, followed by unescaped quote, enabling us to put arbitrary SQL code there.
+
+Proof:
+```
+>>> print mysql_escape(json.loads('{"type":"get_answer","question":"q","answer":"\u00a5\\\""}')["answer"]).encode("sjis")
+\\"
+```
+Exploiting via Chrome developer console:
+```
+socket.onmessage=function(e){console.log(e.data);};
+socket.send('{"type":"get_answer","question":"q","answer":"\u00a5\\\" OR 1=1 -- "}')
+
+VM416:2 {"type": "got_answer", "row": [1, "flag", "BKPCTF{TryYourBestOnTheOthersToo}"]}
+```

2016-03-06-bkpctf/web_3_Good_Morning/ganbatte.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python
+
+from flask import Flask, render_template, Response
+from flask_sockets import Sockets
+import json
+import MySQLdb
+
+app = Flask(__name__)
+sockets = Sockets(app)
+
+with open("config.json") as f:
+ connect_params = json.load(f)
+
+connect_params["db"] = "ganbatte"
+
+# Use Shift-JIS for everything so it uses less bytes
+Response.charset = "shift-jis"
+connect_params["charset"] = "sjis"
+
+questions = [
+  "name",
+  "quest",
+  "favorite color",
+]
+
+# List from http://php.net/manual/en/function.mysql-real-escape-string.php
+MYSQL_SPECIAL_CHARS = [
+  ("\\", "\\\\"),
+  ("\0", "\\0"),
+  ("\n", "\\n"),
+  ("\r", "\\r"),
+  ("'", "\\'"),
+  ('"', '\\"'),
+  ("\x1a", "\\Z"),
+]
+def mysql_escape(s):
+  for find, replace in  MYSQL_SPECIAL_CHARS:
+    s = s.replace(find, replace)
+  return s
+
+@sockets.route('/ws')
+def process_questsions(ws):
+  i = 0
+  conn = MySQLdb.connect(**connect_params)
+  with conn as cursor:
+    ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1}))
+    while not ws.closed:
+      message = ws.receive()
+      if not message: continue
+      message = json.loads(message)
+      if message["type"] == "answer":
+        question = mysql_escape(questions[i])
+        answer = mysql_escape(message["answer"])
+        cursor.execute('INSERT INTO answers (question, answer) VALUES ("%s", "%s")' % (question, answer))
+        conn.commit()
+        i += 1
+        if i < len(questions):
+          ws.send(json.dumps({"type": "question", "topic": questions[i], "last": i == len(questions)-1}))
+      elif message["type"] == "get_answer":
+        question = mysql_escape(message["question"])
+        answer = mysql_escape(message["answer"])
+        cursor.execute('SELECT * FROM answers WHERE question="%s" AND answer="%s"' % (question, answer))
+        ws.send(json.dumps({"type": "got_answer", "row": cursor.fetchone()}))
+      print message
+
+@app.route('/')
+def hello():
+  return app.send_static_file("index.html")
+
+if __name__ == "__main__":
+  from gevent import pywsgi
+  from geventwebsocket.handler import WebSocketHandler
+  addr = ('localhost', 5000)
+
+  server = pywsgi.WSGIServer(addr, app, handler_class=WebSocketHandler)
+  server.serve_forever()