Problem solving with pwnable.kr 11-coin1, 12-blackjack, 13-lotto. Errors in application logic
In this article, we will consider the solutions of 3 tasks from the site pwnable.kr .
Organizational Information
Especially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
')
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using knowledge and methods obtained as a result of studying this document.
- PWN;
- cryptography (Crypto);
- network technologies (Network);
- reverse (Reverse Engineering);
- steganography (Stegano);
- search and exploitation of WEB vulnerabilities.
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
')
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using knowledge and methods obtained as a result of studying this document.
Problem solving coin1
We click on the icon with the signature coin1, and we are provided with the address and port for connection.
After connecting, we are offered to play the game and provide the rules of the game. And also they give us 60 seconds to complete, so we’ll have to automate everything.
According to the rules of the game, they give us N coins, each weighing 10, except for one - its weight is 9. We are given the number of chances (rounds) C for one game. At each round, we send coin indices, and we are also given the total weight. Thus, using binary search , we will find the desired coin.
Let's write the code. To get started, establish a connection to the server, accept and parse the numbers N and C.
from pwn import * r = remote('pwnable.kr', 9007) r.recv() s = r.recv() print(s) n = int(s.split(' ')[0][2:]) c = int(s.split('=')[2].split('\n')[0]) print(n, c) 
Fine. Now we will write a part for passing one level. To do this, we need an array of values ​​from 1 to N + 1 and a cycle of C steps, at each iteration which will send half the array. If the weight returned in the answer is divided by 10 without a remainder, then our coin is in another part of the array. Thus, we will again divide the other half and do the same with it, etc. until the coin is discovered.
mas = range(1,n+1) for i in range(c): s = "" if len(mas)==1: mas.append(mas[0]) for j in mas[:len(mas)/2]: s += (str(j)+" ") print(s) r.send(s+"\n") nr = r.recv() print(nr) if int(nr) % 10: mas = mas[:len(mas)/2] else: mas = mas[len(mas)/2:] r.send(str(mas[0])+"\n") print(r.recv()) 
Now add this solution to the loop to complete all levels.
from pwn import * r = remote('pwnable.kr', 9007) r.recv() for level in range(1, 101): s = r.recvline() n = int(s.split(' ')[0][2:]) c = int(s.split('=')[2].split('\n')[0]) mas = range(1,n+1) for i in range(c): s = "" if len(mas)==1: mas.append(mas[0]) for j in mas[:len(mas)/2]: s += (str(j)+" ") r.send(s+"\n") nr = r.recv() if int(nr) % 10: mas = mas[:len(mas)/2] else: mas = mas[len(mas)/2:] r.send(str(mas[0])+"\n") r.recvline() if level%5==0: print("Check "+str(level)+"/100") print(r.recv()) 
We hand over the flag and get points.
Blackjack job solution
We click on the first icon with the signature coin1, and we are provided with the address and port for connection. They also say that you need to win a million.
After connecting, we are offered to play a game and ask about readiness.
After our answer, we exit the menu, start the game, find out the rules or exit the game.
Starting a new game.
Such tasks are often found in CTF and it is useful to know about them. Most likely there is no handler of negative numbers. Thus, if you enter -999500 and lose, then a negative number is subtracted from our bank, that is, a positive number is added (500 - (-500) = 500 + 500 = 1000). We introduce -1000000.
We hand over the flag and get one more point.
Solution to lotto's quest
We click on the first icon with the signature lotto, and we are told that we need to connect via SSH with the password guest.
When connected, we see the corresponding banner.
Let's find out what files are on the server, as well as what rights we have.
Let's see the outcome of the code.
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> unsigned char submit[6]; void play(){ int i; printf("Submit your 6 lotto bytes : "); fflush(stdout); int r; r = read(0, submit, 6); printf("Lotto Start!\n"); //sleep(1); // generate lotto numbers int fd = open("/dev/urandom", O_RDONLY); if(fd==-1){ printf("error. tell admin\n"); exit(-1); } unsigned char lotto[6]; if(read(fd, lotto, 6) != 6){ printf("error2. tell admin\n"); exit(-1); } for(i=0; i<6; i++){ lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45 } close(fd); // calculate lotto score int match = 0, j = 0; for(i=0; i<6; i++){ for(j=0; j<6; j++){ if(lotto[i] == submit[j]){ match++; } } } // win! if(match == 6){ system("/bin/cat flag"); } else{ printf("bad luck...\n"); } } void help(){ printf("- nLotto Rule -\n"); printf("nlotto is consisted with 6 random natural numbers less than 46\n"); printf("your goal is to match lotto numbers as many as you can\n"); printf("if you win lottery for *1st place*, you will get reward\n"); printf("for more details, follow the link below\n"); printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n"); printf("mathematical chance to win this game is known to be 1/8145060.\n"); } int main(int argc, char* argv[]){ // menu unsigned int menu; while(1){ printf("- Select Menu -\n"); printf("1. Play Lotto\n"); printf("2. Help\n"); printf("3. Exit\n"); scanf("%d", &menu); switch(menu){ case 1: play(); break; case 2: help(); break; case 3: printf("bye\n"); return 0; default: printf("invalid menu\n"); break; } } return 0; } There is nothing interesting in the main () function. The play () function is of interest, after analyzing which we will understand the logic of the program. First, we enter 6 values, then the program pseudo-randomly generates another 6 in the range (1-45), after which these two sequences are compared. We get a flag with 6 matches. But the check is done incorrectly. Thus, in a cycle, each character of the entered sequence is compared with each character generated.
Thus, we will enter 6 identical characters each time until we get the flag. I entered !!!!!!, and got the flag 7 times.
We hand over the flag and get two points. See you in the following articles!
We are in a telegram channel: a channel in Telegram .
Source: https://habr.com/ru/post/461641/
All Articles