Everything

We’ve burrowed ourselves deep within the facility, gaining access to the programable logic controllers (PLC) that drive their nuclear enrichment centrifuges. Kinetic damage is necessary, we need you to neutralize these machines.

You can access this challenge at https://wargames.ret2.systems/csaw_2018_plc_challenge

A much belated post. This is a pwn challenge on a custom online wargaming platform. We are provided with the assembly of what’s ostensibly a programmable logic controller (PLC) for a centrifuge in a nuclear reactor. The challenge looks like it’s still up, so you can take a look and follow along.

This was the first ROP (okay, spoiler, it’s a ROP) I ever pulled off live during an actual CTF, which I was pretty excited about. The web platform meant I had to worry less about setup, and even though some of the tools it provided were a little lacking (no gdb shortcuts like until, no pwntools utilities for packing/unpacking numbers, … no one_gadget), I think they ultimately made the whole thing a lot more educational for me, so kudos to the folks behind it. I’ve included a brief description of all the exploit techniques that lead up to ROP when we get to that, so hopefully this post will be useful even if you don’t know much about pwning binaries. The prerequisites would be some knowledge with x86 assembly, how executables are loaded into memory, and how to use gdb (or fictionalized web knockoffs thereof).

The villains are communicating with their own proprietary file format. Figure out what it is.

$nc proprietary.ctfcompetition.com 1337 We get a server that will talk to us on a port and a flag.ctf file that’s definitely not a binary. It’s a black-box reversing challenge! I was @-mentioned as the person who might want to due to solving bananaScript (CSAW CTF Quals 2017) as a black box, although that gave a binary that it was possible in theory to reverse. Here black-box reversing is the only option. For the first few lines of input that the server wants, it responds with quite helpful error messages to help you appease it. If the first line you give it is not P6, it complains: You discover this cat enthusiast chat app, but the annoying thing about it is that you’re always banned when you start talking about dogs. Maybe if you would somehow get to know the admin’s password, you could fix that. This challenge is a simple chat app written in NodeJS. The home page redirects you to a chat room labeled with a random UUID. Anybody can join the same chat room with the URL. In a chat room, you can chat and issue two commands, /name to set your name and /report to report that somebody is talking about dogs. After anybody in the chat room issues /report, the admin shows up, listens for a while, and bans anybody who mentions the word “dog”. There are two more commands, /secret and /ban, which are in the server source code and also described in comments in the HTML source if you didn’t notice: You stumbled upon someone’s “JS Safe” on the web. It’s a simple HTML file that can store secrets in the browser’s localStorage. This means that you won’t be able to extract any secret from it (the secrets are on the computer of the owner), but it looks like it was hand-crafted to work only with the password of the owner… The challenge consists of a fancy HTML file with a cute but irrelevant animated cube and some embedded JavaScript. The hardest challenge of not very many I solved in this CTF. What a struggle! I have a long way to improve. It was pretty fun though. (I solved “You Already Know”, and got the essence of “ghettohackers: Throwback”, but didn’t guess the right flag format and believe I was asleep when they released the hint about it.) The challenge consists of a simple PHP script that opens a MySQL connection and then feeds our input into a custom PHP extension shellme.so. $link = mysqli_connect('localhost', 'shellql', 'shellql', 'shellql');

if (isset($_POST['shell'])) { if (strlen($_POST['shell']) <= 1000)
{
echo $_POST['shell']; shellme($_POST['shell']);
}
exit();
}

The extension basically just executes \$_POST['shell'] as shellcode after a strict SECCOMP call, prctl(22, 1). This means that we can only use the four syscalls read, write, and exit, and sigreturn, where the latter two aren’t particularly useful.

The goal is to read the flag from the open MySQL connection.

We are presented with a big zip file of SML code, which implements an interpreter for a small ML-like language with a form of taint analysis in its type checker, called Wolf. Concretely, every type in Wolf’s type system has an associated secrecy: it is either “private” or “public”, and in theory, the type system makes it impossible to do any computation on private data to get a public result.

Of course, this is a CTF, so the challenge is all about breaking the theoretical guarantees of the type system. When we submit code, it’s evaluated in a context with a private integer variable flag; our code is typechecked, executed, and printed, but only if its type is public. The goal is to break the type system and write code that produces a public value that depends on flag, so that we can exfiltrate flag itself.

In all, there are three progressively harder Wolf problems, named Pupper, Doggo, and Woofer. Doggo and Woofer are each encrypted with the flag of the challenge before it, so that you need to solve them in order (unless you can somehow blindly exploit servers running SML programs).

Wolf Overview

Let’s first go over the Wolf syntax and semantics. (There are small differences between the three problems, but they’re syntactically identical and only semantically differ in cases that we’ll naturally get to.) The examples folder has some examples of valid code:

let x = (5 :> private int) in
6

This challenge is a video of somebody’s messy desk, with what is apparently the audio from a Futurama clip. The desk is indeed extremely messy and full of things that aren’t particularly useful for us, but close examination reveals a QR code reflected in the globe in the middle.

The challenge is all about getting that QR code. After trying our best to clean up the image, we ended up with this:

It feels a little surreal watching #DeleteFacebook.

On one hand, despite how hard it is to keep an issue trending in today’s fast news cycle, this issue has managed to continue burning for a while. Somewhat recently (March 21), we got two high-profile Facebook account deletions from Brian Acton (WhatsApp cofounder) and Elon Musk. Other apparent examples include Playboy and Cher, or see Time or CNET for a few more. Facebook’s U.S. and Canada user base declined for the first time last quarter.

On the other hand, for me and for a lot of people, the scandal just doesn’t seem that qualitatively different from things we’ve known about Facebook for a long time — its stance on privacy, its psychological effects, its willingness to manipulate the user experience. Why is this time different? (Here’s the /r/NoStupidQuestions thread. I don’t actually know which answer I believe the most.)

Is this time really different? I’m not optimistic. The decline could simply be Facebook running out of potential users to add and space to grow. According to a recent Raymond James survey, about half of surveyed users did not plan to change how much they used Facebook, while only 8% would stop using it, and this may still be an overestimate of people who will actually leave or delete their accounts.1 Mark Zuckerberg himself told the New York Times, “I don’t think we’ve seen a meaningful number of people act on [the #DeleteFacebook campaign]”.

I myself have to admit upfront that, even though I barely use Facebook any more and have carefully contemplated deleting my Facebook account for a long time, I still haven’t pulled the trigger.

Why? What will it take to change this?

My third MIT Mystery Hunt with ✈✈✈ Galactic Trendsetters ✈✈✈ (also see: 2017 and 2016, writing with Random in 2015). It was a good hunt with a fun theme, solid puzzles, and extraordinary production quality, marred only by a fickle unlock structure and a handful of unnecessarily involved extractions.

Since we had been told the hunt would be smaller than past years’ (now a controversial statement since the coin was not found particularly early) and we didn’t particularly want to win (yet), part of our team temporarily split off this year to hunt as Teammate. Based on our Discord channel, ✈✈✈ Galactic Trendsetters ✈✈✈ had 75 people this year, including remote solvers and people who dropped in and out.

A short description of the hunt structure: This year’s hunt theme was Inside Out, the Disney movie about anthropomorphized emotions. This was revealed through a kickoff that demonstrated the hunt’s extraordinary production quality, in which we watched the unveiling of the Health & Safety hunt, first directly, then in the Control Room with the emotions of a distraught hunter (Miss Terry Hunter) and a lot of beautiful memory orbs and scenery. After Terry’s emotions became overwhelmed in response to the theme, we had to help her emotions to allow her to complete the Health & Safety hunt. The intro round took place in the Control Room; we had to solve 34 regular puzzles and five metapuzzles (somewhat overlapping, with some regular puzzles belonging to more than one metapuzzle) to help each of the five emotions get back to the Control Room. The rest of the hunt consisted of recovering memory orbs from each of four Islands of Personality, each of which had its own theme and meta structure, and which we could choose the unlock order of.

I think this is the right video for this year.

I love the music and the animation. The music video spells out the central conceit somewhat explicitly, but I think the lyrics by themselves have a hint of ambiguity — is it a harmful addiction that you just can’t escape from, or an essential part of your identity that you just can’t deny?

What parts of me can I just not deny, huh? Unfortunately 2017 is also the year I decide my online presence should probably be a little more professional, so you might have to read between the lines a bit.