Facebook's BountyCon 2020 CTF Writeup
BountyCon2020
BountyCon is an invitation-only application security conference arranged by Facebook annually in Singapore for the BugBounty Community of Asia-Pacific region.
For more information about it, check here.
BountyCon2020 is the second edition. I was lucky enough to win an all-sponsored invitation from Facebook to attend the last edition and it was just an amazing experience filled with lots of hacking, knowledge sharing, traveling around Singapore, networking and hacking discussions over food and drinks with fellow bug bounty hunters and talented hackers from all over the world. It can’t get better than that for a Hacker.
Shoutout to Hackers who made that trip a memorable one. Prateek Tiwari, Bhavuk Jain, Rahul Maini, Pranav Hivarekar, Anand Prakash and everyone else from Indian Bug Hunters Community.
To get an invite, one has to top the leaderboard of BountyCon CTF.
CTF Writeup
Following is a writeup for a challenge that I really liked solving and learned some new things in the process.
1. Tick-Tock
This was a white-box challenge around a python library. Code for an AWS lambda function was given which was vulnerable to arbitrary unpickling of Python Objects through pickle serialization library.
1 | class Epoch(object): |
The possible arbitrary code execution exploitation of pickle library was shut down by use of Lambda’s function shield which would block all the read, write, outbound connectivity and child process creation attempts.
1 | function_shield.configure({ |
The flag for the challenge was in a globally initialized variable.
Pseudo-Code of the execution was like the following:
1 | If cookie is not set: |
So in a nutshell, whatever gets assigned to the timestamp variable of Epoch Class gets reflected into the HTML source. This was the trick to solve the challenge. We somehow had to trick the code into initializing the reflection with the flag variable and we had unpickling as a way to do it.
To arrive at the following solution
, I scoured through the original documentation of pickle docs.
1 | class Epoch(object): |
To manipulate it, we have the __reduce__
method which will govern the object creation upon successful unpickling. The above code returns a tuple with the first argument being the callable and second being the argument. The result of unpickling the pickled byte-stream of the above class’s instance will be eval('Epoch(flag)')
getting executed and the result of eval getting directly returned.
In this case, it will be an instance of Epoch class getting initialized with flag variable and the variable containing flag string will get reflected into the HTML by the following code.
1 | epoch = pickle.loads(base64.b64decode( |
So with our exploit, it will indirectly mean,
1 | epoch = Epoch(flag) |
In this way, we successfully get the value of the flag variable in the ts
class variable.
Following are the challenges that were not much exciting compared to tick-tock:
2. Lighthouse
Challenge had an android app. Upon reversing and analyzing the apk, It was clear that the app is taking flag string from native code, changing it to morse code string and using it to light the flash of the phone.
I had multiple ideas to solve it but I solved it by using a C++ tool which converts a video to morse code. I was not very sure that it was good enough to detect the morse code from the video stream of phone flash But I gave it a try anyway, The code is outdated and hence it was not getting compiled, made some tweaks to the C++ code so that it should compile. I recorded a video of phone flashing and fed it the compiled binary. It worked like a charm.
3. Shake it
This also was consisting of an android app. As its name suggests, It was counting down the 10 million shakes of the phone and upon completion of those many shakes, it would reveal the flag string stored in native code.
Decompiled the apk using apktool
.
1 | $ apktool d shake-it.apk |
updated the smali code which was initializing this counter of 10 mils. to 10.
0xF4240 -> 0xA in the MainActivity.smali
1 | // In MainActivity.smali |
Built the apk again.
1 | $ apktool b shake-it -o shake-it-modified.apk |
Self-signed it.
1 | $ keytool -genkey -v -keystore key.keystore -alias self -keyalg RSA -keysize 2048 -validity 10000 |
Installed the apk and shaken the phone ten times, got the flag!
4. Who’s Sequel
This challenge had a login form. Upon fuzzing it was clear that it was vulnerable to Blind SQLi. Dumping the table using SQLMap revealed the flag in the last row of one of the tables.
5. Heart of Stone
The Challenge name and Server header in response gave away the hint of HeartBleed (CVE-2014-0160), Exploited and read the memory containing the flag.
Due to work and other stuff, I don’t get much time to participate in CTFs for fun. But I recently formed a CTF team, UnderDawgs with Rudra and Arbaz and we are actively looking for people experienced in Pwn, Crypto and Reversing CTF challenges. If you think you can contribute to the team, Please reach out.
Thanks for reading.
Hack the Planet,
CaptainFreak