I had a chance to try out a few of the OpenCTF challenges this year at DEFCON. After OpenCTF was over, I went to a talk given by the ShellPhish team about their Cyber Grand Challenge adventure. In it, they open sourced one part of their tool called angrop. To be clear, they are intent on opening up the rest of their tools, but for now this was the one that was ready to go. Given that there's a brand new ROP tool to play with, and I have OpenCTF challenges to look at, I decided to give it a go and take angrop for a test drive.

 

Given the name, this challenge deals with using Return Oriented Programming. In this case, the use of that term is a bit misleading since, while accurate, most people will think of pop-pop-ret style programming when they hear ROP. Anyways...

Category: Pwn Points: 200 Solves: 64 Description:

What's your hacker level?

Find out with this nifty little app at challs.campctf.ccc.ac:10118. You can also run your own instance: hacker_level

 

Here's another great example of using the format string exploiter to do your work for you. Again, it's about removing any mechanics of exploitation where possible so you can focus on the human task of understanding the vulnerability rather than the machine task of writing the format string. Let's take a peek at the challenge.

Category: Exploit Points: 80 Solves: 101 Description:

Description: Printer are very very important for offices. Especially for remote printing. My boss told me to build a tool for that task.

Attachment: exp80.zip

Service: 188.166.133.53:12377

 

This example problem actually spurred me to create a helper script. Basically, I find that I do the same things every time that I run into a format string vulnerability. #1 is to re-learn how the damn thing works. #2 is to flounder around to try to find the right syntax. #3 is to spend time trying to figure out what is on the stack and what I have access to. This helper script solves all of that. But on to the challenge...

Category: Reverse Points: 150 Solves: 108 Description:

Run and capture the flag!

Download serial

This challenge was another great challenge to use angr on. Right off the bad we can see it will be a "find the correct serial number" problem.

 

$ file serial
serial: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=77e92e8b1bd4f26641bab4dbf563037a7b9538d2, not stripped