Problem name: prodigy
problem statement:
Self proclaimed prodigy Gourav, has just learnt about binaries and compiler. He believes he can hide anything in the binary unless he doesn’t print it. Show him that he is wrong.
binary file:prodigy
walk-through:
open the binary in gdb and disassemble main
as you can see there is no cmp and jmp , and only one call to puts() which just print weird message : You won’t find anything here #grvdkd #irock
so main() got nothing. There must be other function in program which has the flag and also this function is not get called by main.
next step I did was finding the function
I objdump to disassemble all functions and found a function getFlag()
Next thing i did was open binary in gdb again and disassemble getFlag(just to see in intel flavour as objdump disassemble is hard to understand)
after analyzing the assembly i found a call to strncat funtion at <getFlag+225> which seems interesting
so i put break point at next instruction to see what is in stack after call to strncat()
i put two break point
- at main
- at getFlag+230 (next instruction to strncat() call)
run the program and after reach first beak point i.e main i jump to getFlag .
After jump break point 2 reach and voila we get flag stored in EAX register
As you can see flag is CodefestCTF{`cZNjbcipTKZgHL} stored in EAX.
________________________________________________________________________________________________
Problem name: ACCESS DENIED
find problem at : nc 34.216.132.109 9094
Statement:
A school IT staff manages access to secure files by the method of access code. You are required to give your name and the access code, and the program will give out secret information.
It checks whether you already have an access code, generates new random one along with a new user ID alloted to the user, if that user is not found locally on the system. The access codes are known to have random expiration time (don’t know what goes on in their minds!), so don’t be surprised if you generated an access code just seconds ago and next time the same access code doesn’t work.
Johnny decided to go into the IT room and copy the program into his pendrive. You can find it here.
Can you get the secret information out from the program? The service runs on 34.216.132.109 on port 9094.
Source code Jhonny Copied is:
#!/usr/bin/env python # -*- coding: utf-8 -*- import random import user_functions user = raw_input("Enter your name: ") if not user_functions.exists(user): # generate a code count_ = user_functions.generateID(user)%1000 #User ID/ UID in the table is always positive generator = "xorshift" random.seed(generator) count = 0; for ch in user: ra = random.randint(1, ord(ch)) rb = (ord(ch) * random.randint(1, len(user))) ^ random.randint(1, ord(ch)) count += (ra + rb)/2 code = 1 for i in range(1,count+count_): code = (code + random.randint(1, i) ) % 1000000 final = random.randint(1,9) * 1000000 + code #store it in the database user_functions.store(user, final) else: #if user already exists, fetch access code final = user_functions.get_code(user) code = raw_input("Enter your access code: ").strip() while True: if code.isdigit(): if (int(code) == final): print "The flag is " + user_functions.get_flag(user) exit() else: print "Incorrect access code" else: print "The code must be an integer" code = (raw_input("\nPlease enter the code: ")) print "\n###############################################"
As you can see code is very straight forward
‘name’ is username and password generated with some operation on ‘name’ and stored in ‘final’ which is an Int.
There are two variable used to calculate ‘final’ …….’count’ and ‘count_’
‘count’ can be same all time by giving same value to ‘name’ all time
but ‘count_’ is something in range (0,1000) and we don’t know its value.
Also calculation of ‘final’ include some randomly generated integers.
however random is generated using a seed which can be reversed if we know the seed which is “xorshifted” as call to random with same seed generate same output.
so task is to generate all possible 1000 values of ‘final’ and brute force them.
I write very simple python script which is self explanatory.
crackAccessDenied.py
from pwn import * import sys name='cbmhacker' passwords=[] for i in range(0,1000): count_ = i random.seed("xorshift") count = 0; for ch in name: ra = random.randint(1, ord(ch)) rb = (ord(ch) * random.randint(1, len(name))) ^ random.randint(1, ord(ch)) count += (ra + rb)/2 code = 1 for i in range(1,count+count_): code = (code + random.randint(1, i) ) % 1000000 final = random.randint(1,9) * 1000000 + code passwords.append(final) conn = remote('34.216.132.109',9094) conn.sendline(name) for final in passwords: flag = conn.recv() if 'CodefestCTF{' not in flag: conn.sendline(str(final)) else: print(flag) sys.exit()
run this python script
Bravo!! flag is CodefestCTF{1_s33_y0u_4r3_a_m4n_0f_r4nd0mn3ss}
When I am in gdb I only see where I am. How can I see registers, code, stack, etc as seen in the last screenshot?
LikeLike
i am using peda extension of gdb…peda is a python script which make things easier …..see the link https://github.com/longld/peda
LikeLike
Thanks!
LikeLike