Sheet 6
General Information
All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck. Feel free to post other resources to the mailing list to help your fellow PABE students.
Please keep in mind that you should:
-
read the task description carefully
-
push
all your changes to the GitLab repository (master
branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site! -
Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the
solution
script (see our blog post for details how to do that). -
Make sure that the solution is an executable python3 script named
solution
(chmod +x ./solution
) with a working shebang line at the top (i.e.#!/usr/bin/env python3
) so that it can be executed like this:./solution
(do not name your scriptsolution.py
,Solution
,solution.sh
, … justsolution
) -
The final solution string, and only that, must be written to
stdout
and could be a number, a string, a string with the formatFLAG{some letters and digits here}
, depending on the specific task. -
Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:
1 2 3 4 5 6 7 8
def check_input_length(input_string): """ The input string must have a length greater than 42 and must also be even. """ length = len(input_string) # the final check happens here return (length > 42) and (length % 2 == 0)
This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your
solution
files! -
Make sure that your
solution
executes within 10 seconds (this is a hard timeout on our server). -
Violating any of the points above might lead to reduced final points for the specific task!
The deadline for this sheet is Tuesday, 2022-01-25 23:59:59 CET
Task 26 – Improved PABE Service (4 Points)
Our developer team published this new PABE echo service. This time the binary is even more secured and offers some new functions.
Are you ready to exploit it and make it print the flag? Just do it then!
Once again, edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- What do you think about pabe’s awesome Echo Service? Might there be some bug in it?
- Is there some nice GOT entry which you could overwrite?
Your solution should execute like this:
|
|
Task 27 – Two Bugs (4 Points)
The binary two_bugs
contains… well, two bugs.
Can you exploit both to get the flag printed?
Edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- Are you able to leak everything you need to know?
- Which kind of code reuse attack do you know?
Your solution should execute like this:
|
|
Task 28 – A little printer developed during Xmas (8 Points)
Our developer team just built this little printer during Xmas. We hope you enjoy our printer while the baubles are still dangling under your Xmas tree.
Try to exploit myLittlePrinter
and print the flag!
Once again, edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- What do you know about dangling pointers?
- Do you remember format string bugs?
Your solution should execute like this:
|
|
Task 29 – Some Poison for the Cash machine (8 Points, individual Task)
Money is not everything, but with money everything is more fun. Therefore we want to use this awesome cash machine to get our money printed.
Poison cash_machine
in a way that it gives you a shell, and use the shell to print the flag!
Edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- Have a look at the backdoor function
- How can you set up
RDI
when invoking the backdoor function? - Which functions offers you the possiblity that your allocation gets into the TCACHE?
- Can you see the diference between the
cashbox_delete
and thecashbox_update
functions? What can you use after that?
Your solution should execute like this:
|
|
Task 30 – Bank Robbery 2.0 (16 Points)
You are now a member of the digital bank robber group Fang-Den-Shui which is famous for stealing money from the rich and giving it to the poor. Are you ready to prove your value?
To successfully rob the bank, exploit bank_robbery
to make it print the flag!
Edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- Can you configure your
panic()
function wisely? - Are you able to influence the allocation on the heap in a way that you are able to overwrite something nice there?
Your solution should execute like this:
|
|