Pwnable.kr (Pictures)
Account created but only 6 challenges completed as yet
Four categories of challenges
- [Toddler's Bottle] - very easy challenges with simple mistakes.
- [Rookiss] - typical bug exploitation challenges for rookies.
- [Grotesque] - these challenges are grotesque-y. painful to solve it, but very tasty flag :)
- [Hacker's Secret] - intended solution for these challenges involves special techniques.
ssh [email protected] -p2222
You need to pass the binary a value such that it reads from fd 0, then send it the expected string for it to match when 'strcmp'ing it.
echo "LETMEWIN" | ./fd 4660
ssh [email protected] -p2222
You need to pass it a 20char password such that when each set of 4 chars, taken as a int, are added together, you get the hashcode value. Note that null chars will terminate the string early.
./col $'\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc9\xce\xc5\x06\xc8\xce\xc5\x06'
nc pwnable.kr 9000
You need to overflow the buffer and change the 'key' value that's further up the stack (remember stack goes from high to low). Unfortunately, there's other stuff between the overwritable buffer and the key (such as the return address, saved pointers, etc). Best approach is to download the binary and debug it in gdb. (Ideally with either GEF or pwndbg loaded!). If you happen to be running on a non-Linux box (and just want to try it before spinning up a VM), you might try blatting the stack with a series of '\xbe\xba\xfe\xca' (0xcafebabe in little-endian). Trial and error showed that 6 of them didn't get the "Nah.." message, so adding a ;cat
to echo the output gave the following, which can be used to cat the flag...
(python -c "print 32*'A'+'\xbe\xba\xfe\xca'*6";cat) | nc pwnable.kr 9000
(I really should take some time to have a look at pwntools rather than doing this all manually! :-))
Download the binary from http://pwnable.kr/bin/flag
The hint says that it's packed, and strings
and hexdump -C n 512
show the string "UPX" suggesting it's UPX-packed, so the quick approach is to download "upx" and try and decompress it with the tool via upx -d
.
(Of course, that's after I started decompiling it to run the decompresser prelude, until I realised I was doing that the hard way...). Once decompressed, either 'strings -n 20' or disassembing and looking at the text at the address in the 'flag' symbol will give the result.
Done, but not written up yet
Done, but not written up yet
ssh [email protected] -p2222
The challenge here is to run a program input
, passing it various inputs in various manners. Nominally striaghtforward, but I spent way more time on this than I'd have liked, getting caught up on various things.
Basic requirements are to run the program:
- Passing it 100 arguments, with 2 particualr args set to particular values
- Arrange things such that it can read particular series of bytes from fd's 0 & 2
- Arrange it such that it has an environment value set to a particular value
- Arrange it such that it reads a particular set of bytes from a named file
- Arrange it such that it opens and receives a particular set of byes via a network connection to a socket it's listening on
Started off trying an approach using the Python subprocess
module, which failed at stage 2, where I wasn't able to write to the subprocesses stderr, so switched to C, using fork/exec (then execve). Hit a few issues working out what was going on, as I thought I was having network problems but it turned out that my actual issue was with the permissions of the file, so the subprocess was terminating earlier than I was expecting...
Particular issues were that this worked happily enough on OSX, where I developed the runner.c
but not on the test linux VM until I tweaked open
's mode
field. It didn't help that when the socket failed, I initially immediately exited, rather then carried on & printed the output from the subprocess, which would have shown how far it had got.
This is an ARM decoding challenge - you need to work out and provide the value that will be produced by summing the 3 calls to ARM-assembly subroutines.
Not yet attempted
This involves the shellshock
bug & we're supplied via a vulnerable version of bash
and a program to exercise the bug. The important part here is to realise that the bug was that if there was a specially crafted environment variable (containing an exported function definition, followed by trailing commands), bash
would execute the command when importing the function. So...
- Create a function in the current environment, e.g. "export x='() { :;}; /bin/cat flag'"
- Run the supplied
./shellshock
program (which sets uid/gid then execute bash, triggering the bug) - PROFIT