Sheet 1

PABE Exercise Sheet 1

General Information

All solutions must be created with Python 3. If you are new to Python 3 have a look online… there are many good resources to get started such as this course, this blog post and this slide deck. Feel free to post other resources to the mailing list to help other PABE students.

Please keep in mind that you should:

  • read the task description carefully

  • push all your changes to the GitLab repository (master branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

  • make sure that your solution (also) runs on the virtual machine (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (e.g., os.system("pip install --user -r requirements.txt"))

  • make sure that the solution is an executable script named solution (chmod +x ./solution) with a working shebang line at the top (e.g., #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script, Solution,, … just solution)

  • the final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task

  • describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

    def check_input_length(input_string):
        The input string must have a length greater than 42 and must also be even.
        length = len(input_string)
        # the final check happens here
        return (length > 42) and (length % 2 == 0)
      This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please **do not** leave any **commented code** (i.e., code that is not needed to solve the task) in your `solution` files!
  • make sure that your solution executes within 10 seconds (this is a hard timeout on our server)

  • violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is Tuesday, 2020-11-24 23:59:59

Task 1 – Encrypted Header (2 Points)

Help! All of our executables seem broken! We have attached one for you as fixme. All we got is a ransom letter, claiming our files were encrypted utilizing xor with an unbeatable 8 bit key on their header? Can you write us a script decrypting the binaries?

In more detail:

Write a Python 3 script named solution (with a shebang line at the top so that it can be run as ./solution) that:

  • decrypts the fixme file
  • runs the fixed file and captures its output (e.g., with a function from subprocess (link))
  • prints the captured output of fixme to its stdout again

The final execution of your solution script should look like this:

$ ./solution
FLAG{some letters and digits here}

Task 2 – Parse ELF Files (4 Points)

We have found a strange symbol in one of our files. Could you write a small Python 3 script scanning the symbols of the given ELF file parseme for the name flag and return its value in hex?

The value should be the same as printed by readelf:

$ readelf --symbols parseme | grep flag
     6: 00000000deadbeef     8 OBJECT  GLOBAL DEFAULT   24 flag

There are two sub tasks:

  1. Write your own little ELF parser that allows you to get the desired value:

    1. You do not want to write a complete parser for ELF in Python!
    2. You can assume that the file is 64 bit (cf. parseme)
    3. You will need to find/parse the string table as referenced by .shstrtab that, for example, contains the strings of the section names .dynsym, .dynstr, … (link), (link)
    4. You will need to iterate over all section headers to find .dynstr and .dynsym (link)
    5. You will need to parse the dynamic symbols string table referenced by the section .dynstr (contains, for example, the string flag).
    6. You will need to parse the dynamic symbols table referenced by the section .dynsym (link)
      1. In the dynamic symbols table you will find a reference to the symbol name (st_name) and to the symbol value (st_value).
      2. If st_name references “flag” print the value st_value.
    7. Use Pythons open, seek, read methods as well as struct.unpack to get the correct values.
    8. Might also be helpful: ELF - Wikipedia
  2. Use pyelftools as an alternative approach to solve this exercise.

Your solution could, for example, look like this:

00000000deadbeef  # this is the result of your own parser
00000000deadbeef  # this is the result of the pyelftools library

Task 3 – The Semantic Gap (2 Points)

We found raw data and know its structure, but our programmer is ill and we need you to parse it. You can find the raw binary data in data.bin.

  • First, there is an unsigned 2 byte integer in Big Endian format
  • Then, there are two 1 byte integers in Little Endian format
  • Then, there is a big 8 byte integer in Big Endian format
  • At the end, there is an ASCII representation of a hexadecimal integer

Write a Python 3 script, which parses these integers and writes their sum (arithmetic addition) to stdout!

Your solution could, for example, look like this:

$ ./solution

Task 4 – Parse Process Information (2 Points)

There are some processes on your virtual machine utilizing the seccomp feature (link). Use the proc filesystem to identify processes utilizing seccomp and count them. Write a Python 3 script that prints the final count to stdout.

Your solution could, for example, look like:

$ ./solution

Task 5 – Broken C Code (2 Points)

Have a look at the C code in broken.c! We know that there are some programming mistakes: semantically and syntactically. Fix all the bugs so that the gcc compiler on your VM has nothing more to complain about (address warnings and errors) and you know that the program is working semantically correct (e.g., the wrong input should not tell you the secret).

gcc must be called with no parameters except the input file and the output file.

Your solution script must be a Python 3 script.

It has to:

  • compile the fixed source code
  • execute the compiled program with the correct input so that the check is passed and you receive the secret
  • print the secret

Use the subprocess module (link) and interact via stdin and stdout with the program if necessary.

Your solution could look like:

<THE SECRET>  # i.e. just print the secret that is surrounded by single quotes