Solution of the task with pwnable.kr 06 - random and 09 - mistake
In this article we will learn how to intercept the data transferred between the library function and the program, recall the file descriptors and solve the 6th and 9th tasks from the site pwnable.kr.
Organizational information
Especially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:
In addition, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, pentesting and writing exploits.
')
So that you can learn about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of i & kb. I will also personally consider your personal requests, questions, suggestions and recommendations and answer all .
All information is presented solely for educational purposes. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using the knowledge and methods obtained as a result of studying this document.
- PWN;
- cryptography (crypto);
- network technologies (Network);
- reverse (Reverse Engineering);
- steganography (Stegano);
- search and exploitation of WEB-vulnerabilities.
In addition, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, pentesting and writing exploits.
')
So that you can learn about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of i & kb. I will also personally consider your personal requests, questions, suggestions and recommendations and answer all .
All information is presented solely for educational purposes. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using the knowledge and methods obtained as a result of studying this document.
Random job solution
We click on the icon with the signature random, and we are told that we need to connect via SSH with the guest password.
When connected, we see the appropriate banner.
Let's find out what files are on the server, as well as what rights we have.
ls -l 
Thus, we can read the source code of the program, since there is a right to read for everyone, and execute the random program with the owner's rights (the sticky bit is set). Let's review the outcome code.
The program generates a random number, applies the XOR operation (XOR), and if the result of the XOR operation is equal to the reference value, displays the flag.
The fact is that this program uses the rand () function. This function generates a pseudo-random number, converting the “grain” generated by the srand () function. The srand (number) function must be called each time before calling rand (). If this does not happen, then by default, srand (1) is triggered before rand ().
Thus, in this program, a pseudo-random number generator each time converts the same “grain” using the same algorithm. We need to know the number that the rand () function returns, and proksorit with a reference value. Since the XOR operation is reversible, by applying the value obtained to the program's input, we get a flag.
Let's intercept the data between the rand () library function and our program. For this we use the utility ltrace.
ltrace ./random 
We see with what parameters the rand () function is called and what value it returns. Now let's fix this value with the reference one.
Give the resulting number to the input of our program.
We hand over the flag and get one point for such an easy task.
Solution job mistake
Click on the icon with the signature of a mistake, and we are told that we need to connect via SSH with the guest password.
When connected, we see the appropriate banner.
Let's find out what files are on the server, as well as what rights we have.
ls -l 
Thus, we can read the source code of the program, since there is a right to read for everyone, and execute the mistake program with the owner's rights (the sticky bit is set). Let's review the outcome code.
At the very beginning of the program, a file is opened and a handle is created. I already wrote about file descriptors in detail in THIS article. But the fact is that the condition made a mistake. Thus, a comparison is first performed, the result of which is false, and then the assignment of this false result (that is, 0) to the variable fd.
Next, the sleep function is called and data is read without the input clause to the pw_buf variable. But due to an error in the condition, they are not read from the open file with a password, but from the standard input (descriptor 0).
Next, we enter 10 characters, which are character-centered with 1 and compared with the password.
Thus, we introduce two strings, the characters of which by the result of the XOR operation should give 1. We find two characters, if we proxy which, we get 1.
These are the characters A and @. Now we will enter into the program two lines, one of 10 characters 'A', and another - '@'.
We hand over the flag and get another point.
See you in the next articles!
Source: https://habr.com/ru/post/460527/
All Articles