Phoenix exloit education Net-serie
Contents
Phoenix 4 - Net série
Net - zero
Can you convert string provided to the native endian of the architecture the binary is running on? For AMD64, it listens on port 64000 For i486, it listens on port 64001
Source
/*
* phoenix/net-zero, by https://exploit.education
*
* What did the fish say when he swam head first into a wall?
* Dam!
*/
#include <err.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
uint32_t i, j;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
printf("%s\n", BANNER);
if (getrandom((void *)&i, sizeof(i), 0) != sizeof(i)) {
errx(1, "unable to getrandom(%d bytes)", sizeof(i));
}
printf("Please send '%u' as a little endian, 32bit integer.\n", i);
if (read(0, (void *)&j, sizeof(j)) != sizeof(j)) {
errx(1, "unable to read %d bytes from stdin", sizeof(j));
}
if (i == j) {
printf("You have successfully passed this level, well done!\n");
} else {
printf("Close - you sent %u instead\n", j);
}
return 0;
}
Solution.
Cet exercice consiste juste à apprendre à se connecter au serveur, parser les messages et convertir la valeur numérique ne message binaire bigendian.
La résolution de cette série est grandement façilitée par l’usage de la librairie pwnlib.
#!/usr/bin/python
import re
from pwn import *
host='localhost'
port=64000
p=remote(host,port)
line = p.readline()
log.info(line)
line = p.readline()
log.info(line)
m=re.search(r"\'(\d+)\'", line)
if m:
n = int(m.group(1))
p.sendline(p32(n))
log.info(p.read())
Net one
Can you convert the native endian representation of an integer to the ascii equivilient? For AMD64, it listens on port 64001 For i486, it listens on port 64011
Source
/*
* phoenix/net-one, by https://exploit.education
*
* Why aren't octal jokes funny?
* Because 7 10 11
*/
#include <err.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
uint32_t i;
char buf[12], fub[12], *q;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
printf("%s\n", BANNER);
if (getrandom((void *)&i, sizeof(i), 0) != sizeof(i)) {
errx(1, "unable to getrandom(%d bytes)", sizeof(i));
}
if (write(1, &i, sizeof(i)) != sizeof(i)) {
errx(1, "unable to write %d bytes", sizeof(i));
}
if (fgets(buf, sizeof(buf), stdin) == NULL) {
errx(1, "who knew that reading from stdin could be so difficult");
}
buf[sizeof(buf) - 1] = 0;
q = strchr(buf, '\r');
if (q) *q = 0;
q = strchr(buf, '\n');
if (q) *q = 0;
sprintf(fub, "%u", i);
if (strcmp(fub, buf) == 0) {
printf("Congratulations, you've passed this level!\n");
} else {
printf("Close, you sent \"%s\", and we wanted \"%s\"\n", buf, fub);
}
return 0;
}
Solution
Script
#!/usr/bin/python
import re
from pwn import *
from binascii import hexlify
host='localhost'
port=64001
port=64011
p=remote(host,port)
line = p.readline()
log.info(line)
data = p.read(4)
log.info("Received code : %s"%hexlify(data))
p.sendline(str(u32(data)))
log.info(p.read())
Execution
$ ./net-one.py
[+] Opening connection to localhost on port 64011: Done
[*] Welcome to phoenix/net-one, brought to you by https://exploit.education
[*] Received code : d3aea69e
[*] Congratulations, you've passed this level!
[*] Closed connection to localhost port 64011
Net two
And now for some additional fun. For AMD64, it listens on port 64002 For i486, it listens on port 64012
Source
/*
* phoenix/net-two, by https://exploit.education
*
* Shout out to anyone who doesn't know what the opposite of in is.
*
*/
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>
#define BANNER \
"Welcome to " LEVELNAME ", brought to you by https://exploit.education"
int main(int argc, char **argv) {
int i;
unsigned long quad[sizeof(long)], result, wanted;
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
printf("%s\nFor this level, sizeof(long) == %d, keep that in mind :)\n",
BANNER, (int)sizeof(long));
if (getrandom((void *)&quad, sizeof(quad), 0) != sizeof(quad)) {
errx(1, "unable to getrandom(%d bytes)", sizeof(quad));
}
result = 0;
for (i = 0; i < sizeof(long); i++) {
result += quad[i];
if (write(1, (void *)&quad[i], sizeof(long)) != sizeof(long)) {
errx(1, "Why have you foresaken me, write()");
}
}
if (read(0, (void *)&wanted, sizeof(long)) != sizeof(long)) {
errx(1, "Unable to read\n");
}
if (result == wanted) {
printf("You have successfully passed this level, well done!\n");
} else {
printf("Whoops, better luck next time. Receieved %lu, wanted %lu\n", wanted,
result);
}
return 0;
}
Dans cet exercice le programme envoie n * n octets ou n est la taille du long dans l’architecture. En 32 bits in envoie donc 4*4 = 16 octets. En 64 bits 8 * 8 = 64 octets.
La réponse attendue est la somme de n long donc des 6 ou 8 nombres, dans la convention de l’architecture correspondant donc avec la taille ad hoc. Les octets étant aléatoires la somme dépasse systématiquement la taille max du long dans l’architecture.
Solution
Le script prend en paramètre l’architecture visée.
Si on lui passe 64 il appelle le serveur amd64, sinon le i486.
Pour obtenir le résultat on effectue simplement “et binaire” avec le mask de la bonne taille.
#!/usr/bin/python
from pwn import *
from binascii import hexlify
import sys
host='localhost'
port=64012
longsz=4
if len(sys.argv) > 1:
if sys.argv[1] == '64':
port=64002
longsz=8
p=remote(host,port)
log.info(p.readline())
log.info(p.readline())
sum=0
for i in range(longsz):
data = p.read(longsz)
if longsz==4:
n=int(u32(data))
else:
n=int(u64(data))
sum+=n
log.info("%s n=%d sum=%d", hexlify(data), n, sum)
if longsz==4:
resp=p32(sum&0xffffffff)
else:
resp=p64(sum&0xffffffffffffffff)
log.info("Truncated sum : %s", hexlify(resp))
p.sendline(resp)
log.info(p.read())
Exécution
En 32 bits
$ ./net-two.py
[+] Opening connection to localhost on port 64012: Done
[*] Welcome to phoenix/net-two, brought to you by https://exploit.education
[*] For this level, sizeof(long) == 4, keep that in mind :)
[*] 01e5aaa4 n=2762663169 sum=2762663169
[*] b951231e n=505631161 sum=3268294330
[*] a312a53e n=1051005603 sum=4319299933
[*] fc890f49 n=1225755132 sum=5545055065
[*] Truncated sum : 59d3824a
[*] You have successfully passed this level, well done!
[*] Closed connection to localhost port 64012
En 64 bits
$ ./net-two.py 64
[+] Opening connection to localhost on port 64002: Done
[*] Welcome to phoenix/net-two, brought to you by https://exploit.education
[*] For this level, sizeof(long) == 8, keep that in mind :)
[*] 559282cb6ee146b0 n=12702087665022046805 sum=12702087665022046805
[*] e51cb60d65e29ed0 n=15032701529858907365 sum=27734789194880954170
[*] 188059e87a945379 n=8742494557261365272 sum=36477283752142319442
[*] 889ab19279975d25 n=2692474700645374600 sum=39169758452787694042
[*] cc5d66a755500e71 n=8146537104770751948 sum=47316295557558445990
[*] c85befd5e04269a1 n=11630901046090357704 sum=58947196603648803694
[*] 34a79bb97f7f0a0a n=723530876697945908 sum=59670727480346749602
[*] fde10a7ca9e9e16d n=7917866534033875453 sum=67588594014380625055
[*] Truncated sum : 9f0c400728ecfaa9
[*] You have successfully passed this level, well done!
[*] Closed connection to localhost port 64002