CTF Challenge for CSAW Finals 2021

Overview

Terminal Velocity

Misc CTF Challenge for CSAW Finals 2021

This is a challenge I've had in mind for almost 15 years and never got around to building until now. It (ab)uses a number of terminal escape codes to trigger both legitimate and scary and potentially dangerous terminal features, many of which are enabled by default in modern terminals! While a number of more serious exploits were patched in terminals since this original idea (it used to be trivial to kill many terminals with such escapes as "move cursor left 2^32 times or other similar ridiculous instructions), but most of the remaining shenanigans are merely abusing "legitimate" features that maybe are undesirable when simply viewing a text file or connecting to a network socket.

It's worth noting that because this service uses the usual netcat connection from clients, it will be line-buffered. This prevents some more egregious abuse of terminal escapes and requires some slight trickery to receive the return escape codes as hidden parts of existing responses during the various "press enter to continue" or similar prompts. Using something like telnet or ssh would fix this and allow for even more dangerous terminal manipulations.

Part of the goal of this challenge is to encourage people to be a bit more careful even when taking actions they might otherwise consider benign. Text should be considered harmful.

Deploying / Running

$ docker build -t terminal .
$ docker run -it -p 3535:3535 terminal

Or just run python3 service.py and connect to your local machine on port 3535.

Solutions

Two play-testers provided (partial) solutions which needs some tweaks for the final updates. This writeup covers the main tasks:

Level 0

When you first connect to the server you simply see a password (Level 0 Is Really Easy) which when pasted is indeed, correct.

The only tricky thing is if you try to sniff the connection or use a non-terminal to access it, you'll see that the password is originally something else that is overwritten.

Screen Check

After solving level 0, you will be asked "What is the proper screen size"? Some people may simply know the default terminal size is 80x24 and adjust accordingly, but if not, the server helpfully tells you whether your terminal was too big or too small after verifying that it can read your screen dimensions. If you're not running a real terminal, you'll need to learn to fake the correct response.

Level 1

Level one simply prints the password out in a black text on a black background. You can simply copy/paste it from the terminal but if you try to view it from the raw network traffic you will see that it is interspersed with unrelated escape codes that you have to filter out.

Correct pass: G1V3M3TH3N3XTL3V3L

Feature Check: Iconify

The next check will attempt to icnoify your terminal and query the status of the terminal (it also has the side effect of querying a user's iTerm current profile name). Correct approaches to solving this usually involve analyzing the query string that is sent and finding what is being looked up. Note that some VT100 references will give misleading answers and the oracle should always be consulted (if people get stuck I'd give this as a hint out since it's a better reference. All references are painfully hard to search though which is hilarious.)

Note: if you don't have a terminal capable of following this live (Terminal.app is the only one I know that does it all correctly) and you don't want to write a terminal emulator/manual interaction script (definitely the right approach for what's coming next), then you can work around it by just pressing backspace twice and entering 2t before pressing enter.

Level 2

Level two is similar except the line of correct text is erased after rendered. An emulator that simulates specific character drawing will be able to recover the text, or a filter that blocks the "erase" escape codes (though there are several used) can work here.

Correct password: HalfwayDone

Level 3

Level three is pretty nasty (the user is warned though!)

It will attempt to do all sorts of nasty things to their terminal including printing locking the prompt, crashing it with bogus operations. One printer accidentally spewed out paper and one Windows machine blue screened during the testing of these features, so this can be tough! (The printer bug was fixed with all the aforementioned iTerm detection above ). By this point users should be strongly considering not directly interacting with the port but using pwntools with heavy filtering or some other method. (Fun fact, Windows terminal actually looks super robust against these sorts of shenanigans and the developers even built an entire fuzzing harness that really needs to be run against all other major browsers which still have many bugs).

Anyway, for players who have been building a very simply terminal emulator to this point, just having the ability to emulate three different cases of move and draw commands will let them re-create the correct text for this level.

Correct password: BobTheBuilder

Level 4

The final level brings image formats! Yup, there are actually many different valid forms of images that can be displayed in terminals. Though, if I've done my job correctly, the previous level will have broken or rendered useless most of the terminals that otherwise could just show the images directly.

The three images that are displayed are:

  1. Simple base64 encoded file in iTerm image format
  2. A sixel and
  3. A Tektronix image

There are several different approaches/tools to solving the last two images. Just using a compatible terminal and separately cat'ing the file after extracting them from the session is sufficient.

xTerm has the only support for the final Tektronix image format I have found. When assembled, the images reveal the final passcode: PINEY_FLATS_TN_USA a random city with no meaning at all behind it.

Entering the final password reveals the flag for the challenge!

Hopefully people have a lot more respect about what their terminals are capable of after working on this challenge and maybe even take more care when randomly connecting to servers on the internet.

Owner
Jordan
Jordan
J.A.R.V.I.S is an AI virtual assistant made in python.

J.A.R.V.I.S is an AI virtual assistant made in python. Running JARVIS Without Python To run JARVIS without python: 1. Head over to our installation pa

somePythonProgrammer 16 Dec 29, 2022
Pytorch implementation of Each Part Matters: Local Patterns Facilitate Cross-view Geo-localization https://arxiv.org/abs/2008.11646

[TCSVT] Each Part Matters: Local Patterns Facilitate Cross-view Geo-localization LPN [Paper] NEWs Prerequisites Python 3.6 GPU Memory = 8G Numpy 1.

46 Dec 14, 2022
code release for USENIX'22 paper `On the Security Risks of AutoML`

This project is a minimized runnable project cut from trojanzoo, which contains more datasets, models, attacks and defenses. This repo will not be mai

Ren Pang 5 Apr 19, 2022
Implement of "Training deep neural networks via direct loss minimization" in PyTorch for 0-1 loss

This is the implementation of "Training deep neural networks via direct loss minimization" published at ICML 2016 in PyTorch. The implementation targe

Cuong Nguyen 1 Jan 18, 2022
This repository provides a basic implementation of our GCPR 2021 paper "Learning Conditional Invariance through Cycle Consistency"

Learning Conditional Invariance through Cycle Consistency This repository provides a basic TensorFlow 1 implementation of the proposed model in our GC

BMDA - University of Basel 1 Nov 04, 2022
SLIDE : In Defense of Smart Algorithms over Hardware Acceleration for Large-Scale Deep Learning Systems

The SLIDE package contains the source code for reproducing the main experiments in this paper. Dataset The Datasets can be downloaded in Amazon-

Intel Labs 72 Dec 16, 2022
Pytorch implementation of MaskFlownet

MaskFlownet-Pytorch Unofficial PyTorch implementation of MaskFlownet (https://github.com/microsoft/MaskFlownet). Tested with: PyTorch 1.5.0 CUDA 10.1

Daniele Cattaneo 84 Nov 02, 2022
基于YoloX目标检测+DeepSort算法实现多目标追踪Baseline

项目简介: 使用YOLOX+Deepsort实现车辆行人追踪和计数,代码封装成一个Detector类,更容易嵌入到自己的项目中。 代码地址(欢迎star): https://github.com/Sharpiless/yolox-deepsort/ 最终效果: 运行demo: python demo

114 Dec 30, 2022
Explainable Medical ImageSegmentation via GenerativeAdversarial Networks andLayer-wise Relevance Propagation

MedAI: Transparency in Medical Image Segmentation What is this repo This repo contains the code and experiments that are implemented to contribute in

Awadelrahman M. A. Ahmed 1 Nov 22, 2021
A concise but complete implementation of CLIP with various experimental improvements from recent papers

x-clip (wip) A concise but complete implementation of CLIP with various experimental improvements from recent papers Install $ pip install x-clip Usag

Phil Wang 515 Dec 26, 2022
For auto aligning, cropping, and scaling HR and LR images for training image based neural networks

ImgAlign For auto aligning, cropping, and scaling HR and LR images for training image based neural networks Usage Make sure OpenCV is installed, 'pip

15 Dec 04, 2022
Dense Prediction Transformers

Vision Transformers for Dense Prediction This repository contains code and models for our paper: Vision Transformers for Dense Prediction René Ranftl,

Intelligent Systems Lab Org 1.3k Jan 02, 2023
Double pendulum simulator using a symplectic Euler's method and Hamiltonian mechanics

Symplectic Double Pendulum Simulator Double pendulum simulator using a symplectic Euler's method. The program calculates the momentum and position of

Scott Marino 1 Jan 12, 2022
Detectron2 for Document Layout Analysis

Detectron2 trained on PubLayNet dataset This repo contains the training configurations, code and trained models trained on PubLayNet dataset using Det

Himanshu 163 Nov 21, 2022
[NeurIPS 2020] Official Implementation: "SMYRF: Efficient Attention using Asymmetric Clustering".

SMYRF: Efficient attention using asymmetric clustering Get started: Abstract We propose a novel type of balanced clustering algorithm to approximate a

Giannis Daras 46 Dec 22, 2022
[CVPR 2021] Unsupervised 3D Shape Completion through GAN Inversion

ShapeInversion Paper Junzhe Zhang, Xinyi Chen, Zhongang Cai, Liang Pan, Haiyu Zhao, Shuai Yi, Chai Kiat Yeo, Bo Dai, Chen Change Loy "Unsupervised 3D

100 Dec 22, 2022
[ICCV'21] Neural Radiance Flow for 4D View Synthesis and Video Processing

NeRFlow [ICCV'21] Neural Radiance Flow for 4D View Synthesis and Video Processing Datasets The pouring dataset used for experiments can be download he

44 Dec 20, 2022
这是一个yolox-keras的源码,可以用于训练自己的模型。

YOLOX:You Only Look Once目标检测模型在Keras当中的实现 目录 性能情况 Performance 实现的内容 Achievement 所需环境 Environment 小技巧的设置 TricksSet 文件下载 Download 训练步骤 How2train 预测步骤 Ho

Bubbliiiing 64 Nov 10, 2022
Code for Temporally Abstract Partial Models

Code for Temporally Abstract Partial Models Accompanies the code for the experimental section of the paper: Temporally Abstract Partial Models, Khetar

DeepMind 19 Jul 13, 2022
Newt - a Gaussian process library in JAX.

Newt __ \/_ (' \`\ _\, \ \\/ /`\/\ \\ \ \\

AaltoML 0 Nov 02, 2021