Sheet 3

General Information

All solutions must be created with Python but could also be combined with some Bash scripting. If you are new to Python have a look online… there are many good resources to get started such as this course, this blog post and this slide deck. Feel free to post other resources to the mailing list to help other PABE students.

Please keep in mind that you should:

  • read the task description carefully

  • push all your changes to the GitLab repository (master branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

  • make sure that your solution (also) runs on the virtual machine (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (e.g., os.system("pip install --user -r requirements.txt"))

  • make sure that the solution is an executable script named solution (chmod +x ./solution) with a working shebang line at the top (e.g., #!/usr/bin/env python2) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … just solution)

  • the final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{{some letters and digits here}}, depending on the specific task

  • describe what you are doing using detailed comments for all your solution scripts no matter if it is a Python or Bash script! For Python, for example, use Docstrings (link) or inline comments:

    1
2
3
4
5
6
7
8

    def check_input_length(input_string):
    """
    The input string must have a length greater than 42 and must also be even.
    """
    length = len(input_string)

    # the final check happens here
    return (length > 42) and (length % 2 == 0)

    1
2

    
is helps us to find out if you really understood the task and you are not just brute-forcing some solutions.

  • make sure that your solution executes within 10 seconds (this is a hard timeout on our server)

The deadline for this sheet is Tuesday, 2019-12-03 23:59:59

Task 11 – Key Checker II

The program check_key needs a valid key as an input. Find out how to provide the key to the program and how the key checking algorithm works (use a disassembler such as IDA Pro 7, radare2, binary ninja or use a debugger, such as gdb). The final task is to write a Python script as solution that is able to generate one valid key and print it to stdout. This time you must use the z3 Python module (link) (link) to solve the constraints on the key.

Your solution could, for example, look like this:

1
2

./solution
thisisavalidkey

Task 12 – Function Tracer

To make you even more familiar with GDB (you’ll need it for the upcoming exploitation exercises a lot!) here is another task to be solved with a GDB Python script (link).

Your task is to program a function call tracer for the traceme binary that outputs the name of all functions visited during the execution of the program. Start the tracing at _start and let the program run until it finishes.

Write the trace to a file first and then print the content of the file to stdout, thus you avoid having all the verbose output of GDB in your output. Your program should run with pure GDB not pwndbg!

Your solution could look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$ ./solution
_start
__libc_start_main
get_common_indeces.constprop.1
generic_start_main
_dl_aux_init
_dl_discover_osversion
uname
__pthread_initialize_minimal
sbrk
brk
brk
memcpy
__libc_init_first
__libc_init_secure
_dl_non_dynamic_init
_dl_get_origin
malloc
ptmalloc_init.part.5
_int_malloc
malloc_consolidate
sysmalloc
...

Hints:

  • If a function has a name in GDB it is displayed in an angle brackets call 0x40fa90 <puts>.
  • How can you make GDB stop at every call instruction?

Task 13 – Simple Buffer Overflow

Have a look at the simple_bo file. You have to find out how the binary works and how you can make it print the flag. Please do not just brute-force possible solutions. This might lead to a reduced number of points for the task (see General Information).

Your concrete task is to:

  • reverse the binary and understand how it may be exploited so that it prints the flag

  • write a Python script that exploits the binary

  • describe your approach using a docstring at the top of the file (below the Shebang line!); we want to know what is happening exactly and why the flag is printed… describe the mechanisms!

    • just an example:

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

      ###!/usr/bin/env python3

"""
The binary does foo and bar. We have to check that x, y, and z are true.
After we did ... we use ... to make the program print the flag.
"""

def main():
    pass

...

Your solution should look like:

1
2

$ ./solution
FLAG{some letters and/or digits here}

Task 14 – Reverse Me

Seeing how effortless you managed to parse integers on the last sheet, we fired our old programmer without further consideration. However, we were informed that his legacy code still drives a part of our system.

We found one of these binaries: reverseme. Please implement its functionality as a Python script. We can not remember him ever implementing so many functions!?

Hints:

  • Use all the tools we mentioned in the lecture to get a good overview first!
  • What is a callback?

Task 15 – In-memory decryption II

Have a look at the extractme executable. It decrypts a flag during runtime. Please try to extract it again.

The flag is in the format FLAG{some characters here}. Write a (vanilla not pwndbg) GDB Python script that extracts the flag.

Your solution should look like:

1
2

$ ./solution
FLAG{some characters here}

Hints:

  • Try to find the flag with pwndbg first an then write the script.
  • At no point in time, the flag is completely decrypted.
22 Nov 2019