July 18, 2019 at 15:08Problem solving with pwnable.kr 06 - random and 09 - mistake
In this article, we learn how to intercept the data transferred between the library function and the program, remember the file descriptors and solve the 6th and 9th tasks from the site pwnable.kr.
Organizational Information
Especially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to someone as a result of using knowledge and methods obtained as a result of studying this document.
- PWN;
- cryptography (Crypto);
- network technologies (Network);
- reverse (Reverse Engineering);
- steganography (Stegano);
- search and exploitation of WEB vulnerabilities.
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to someone as a result of using knowledge and methods obtained as a result of studying this document.
The solution to the random
We click on the icon with the signature random, and we are told that we need to connect via SSH with the password guest.
When connected, we see the corresponding banner.
Let's find out what files are on the server, as well as what rights we have.
ls -l
Thus, we can read the source code of the program, as there is a right to read for everyone, and execute the program random with the rights of the owner (the sticky bit is set). Let's see the outcome of the code.
The program generates a random number, applies the XOR operation (exclusive OR), and if the result of the XOR operation is equal to the reference value, it displays a flag.
The fact is that the rand () function is used in this program. This function generates a pseudo-random number, converting the “grain” generated by the srand () function. The srand (number) function must be called every time before calling rand (). If this does not happen, then srand (1) is triggered before rand () by default.
Thus, in this program, a pseudo-random number generator converts the same “grain” each time according to the same algorithm. We need to find out the number that the rand () function returns, and proxory with the reference value. Since the XOR operation is reversible, then passing the received value to the input of the program, we get a flag.
Let's intercept the data between the rand () library function and our program. To do this, use the ltrace utility.
ltrace ./random
We see with what parameters the rand () function is called and what value it returns. Now proxorit this value with the reference.
We submit the resulting number to the input of our program.
We pass the flag and get one point for such an easy task.
Solution to the mistake
We click on the icon with the error signature, and we are told that we need to connect via SSH with the password guest.
When connected, we see the corresponding banner.
Let's find out what files are on the server, as well as what rights we have.
ls -l
Thus, we can read the source code of the program, as there is a right to read for everyone, and execute a mistake program with the rights of the owner (the sticky bit is set). Let's see the outcome of the code.
At the very beginning of the program, a file is opened and a descriptor is created. About file descriptors, I already wrote in detail in THIS article. But the fact is that the condition made a mistake. Thus, a comparison is first performed, the result of which is a lie, and then the assignment of this false result (i.e. 0) to the variable fd.
Next, the sleep function is called and without suggesting input to the pw_buf variable, the data is read. But due to an error in the condition, they are not read from an open file with a password, but from standard input (handle 0).
Next, we enter 10 characters, which character-by-character quarrel with 1 and are compared with a password.
Thus, we enter two lines, the characters of which should result in the result of the XOR operation. We will find two characters, if we proxor which, we will get 1.
These are the characters A and @. Now enter two lines in the program, one of the 10 characters 'A', and the other - '@'.
We hand over the flag and get one more point.
See you in the following articles!
We are in a telegram channel: a channel in Telegram .