"If you have been knockedup then you know what to do. Perhaps try "tirer"
The challenge could only be solved after solving "knockedupd" and retrieving the binary from the server. It was a heap exploitation challenge and to goal was to get a remote shell. Once you got sytem() to execute "/bin/sh", however, you discover that the flag was owned by root! Luckily, a suspicious knockd.conf file, located in the same directory, could be read to get specific udp ports. Using the knockedupd script from the first challenge, you could knock on these ports and get the flag.
Find a way to exploit the indexing done by the data storage program, leak addresses, overwrite a function in the GOT table and execute system('/bin/sh')
(Python script to get system("/bin/sh") executed on the server, the matching libc used to calculate offsets and the binary of the server to pwn linked at the bottom.)
1) Solve "knockedupd" and kock (using udp) at ports: 18547, 8846, 24467, then netcat to 22.214.171.124 at port 13495 to get a "shell" interface.
2) Following the hint for the challenge, enter "tirer" in the shell and receive the server binary.
3) Reverse the binary (IDA/gdb) to see which commands store data blocks to and retreive data blocks from the heap.
4) Using a vulnerability resulting from the use of atoi(), overwrite a data blocks metadata.
5) Call this data block from the heap using a different command to leak text addresses.
6) Repeat this leaking process but with an offset of the text address to leak the GOT address.
7) Using the option to update a data block on the heap and the same atoi() vulnerability, overwrite "memcmp()" in the GOT to "system()".
8) Find an option in the program allowing the user to call the overwritten function with user input string of "/bin/sh"
9) Using the remote shell, cd into the challenge folder and realize the flag is owned by root.
10) Open the conf file also stored in the same directory and note the udp ports and netcat port (as in "knockedupd").
11) Using the script from "knockedupd", knock at the new ports (the service then adds a new rule to the IP tables)
12) Connect to the port specified in this new conf file as added to the IP tables. Receive the flag!
The 8 commands: >accumuler Length:10 Data:AAAAAAAAAA Received:10 >update Index:0 Byte:0 Value:B >bilan Id:0 Length:10 Data:BAAAAAAAAA >remove Index:0 >bilan >select Enter user:A User not found >norandoms Nope. >randoms Nope. >toggle
The norandoms and randoms options seemed to calculate a bunch of values with a random number (perhaps this is implicit :P) but we didn't spend much time reversing them and they didn't seem to matter to get the flag.
Accumuler created a data block from user input of length N and data X, storing this in a structure on the heap. Update changed a single byte at the location specified in the meta-data section of the data block at the Nth index in the heap structure. Bilan printed all of the data blocks in the heap structure. Remove removed the Nth data block from the heap structure. Select took the user input and verified that it was one of the hardcoded users using "memcmp()". One thing to note is that it only compares strings if the length of your string matches the length of the hardcoded username. babeuf barry barnave brissot chaumette chenier cloots Toggle changed the program options so that instead of calling a function when a command was entered, it would call the same function from a jump table that was dynamically allocated on the heap (right beneath the data blocks).
It took the user input (s, converted it to an integer v5, but only checked to see if it was greater than the size of the data structure v0 (attempting to index past) but not if the user was attempting to index before a.k.a. negative indexes were allowed!
Segments of metadata for each block stored in the heap data structure: Data Structure Start: Block N: Size Block Address ???? <...Data....> Other Heap Data The first thing to overwrite is the size. Doing this makes the program think the data block is much larger than it actually is, calling bilan after doing this prints out data stored on the heap after this data block - a data leak!
python defconquals2015_heapsoffun_client.py >select Enter user:/bin/sh whoami heapsoffun
The entire conf file was not saved so substituted below.
reHEAPS sophia$ python defconquals2015_heapsoffun_client.py >select Enter user:/bin/sh whoami heapsoffun cd /home/heapsoffun/ cat knockd.conf ... *udp ports to knock at* ... *port to nc to* ... reHEAPS sophia$ python defconquals2015_knockedupd_client.py ports:18547, 8846, 24467 delay: 0 reKNOCK sophia$ nc 126.96.36.199 13495 The flag is: 'N0w w4sn't 7h47 just 4 h34p 0f PFM?'
SERVER (Patched out Timer)
Initially, instead of using the vulnerability to overwrite a GOT address to call system on user input, we tried to use eip to jump to a one gadget win.
Referenced here: Dragon Sector RCE as they had the same libc as the one found in the challenge.
Unfortunately this didn't work :D