ABE Exercise Sheet 0

NOTE:

• This sheet is not part of the mandatory sheets that are required for the admission for the final exam!
• Contrary to the other sheets, you will not hand in solutions to tasks 1-5 on this sheet. Instead, you are advised to solve them on your own or in a group, and we will talk about the tasks in the first exercise session on 2024-04-16.
• All tasks should be solved under Linux (Fedora, Arch Linux, Ubuntu, Kali, <your_favorite_distro_here>). Use a virtual machine if you do not have access to a native Linux machine.

The deadline for this sheet is 2024-04-15 22:00:00 UTC
(only relevant for the final submission of Task 0)

Task 0 – Getting ready to exploit (2 Points, individual Task)

Welcome, new ABE student!

This very first task sets you up for future exercises. If at any point you get stuck or discover an ambiguity, please send us a message to placeholder@example.com!

Speaking of points: You get two bonus points if you complete this task on time.

Til Bardaga¹!

Check out the lecture website

The lecture website is located at https://abe.seclab-bonn.de.

On the website, you can find general information, the slides, and the exercise sheets (like this one).

Make sure you can access the website, the slides (if there are already some available), and the exercise sheets. If you cannot, please check your local setup first, then complain.

Visit the first lecture

The first lecture takes place on Monday 2024-04-08. You can find time and place on the lecture website or on BASIS. Either come to the lecture hall in person, or follow via BigBlueButton (BBB). You can find the BBB link on the lecture website as well.

Attention: During the lecture, you will be told a secret value that you will need for the next task!

If you miss the value or cannot make it to the lecture, don’t worry: Just write us an email to placeholder@example.com, and we will tell you the not-so-secret-anymore value.

Grouping

As part of this lecture, you will be told to register for the exercises.

Since it is dangerous to go alone, you have to form groups of up to 3 people. We suggest doing that in person right after the first lecture. You can of course also use other means, like chat groups or Discord servers that you may already be a member of, or by talking to friends you might already have.

Do not worry if that does not work out for you or you cannot attend: You can still register on your own, and will then be merged into a group by us.

Warning: Do not register before the first lecture on 2024-04-08! Your data may get wiped, and you will not be able to get bonus points for this task because you are not able to follow simple instructions.

The registration takes place at https://abe.seclab-bonn.de/register/.

Fill out the form with the appropriate values. You did catch the secret value in the lecture, didn’t you?

The local-part of your university email address (e.g. the part before the @) will become your user name in our GitLab. For example, if you register with s6alturi@uni-boon.de, your user name will be s6alturi.

• If you do not already have people that you would like to form a group with, simply register on your own while leaving the “Group Token (optional)” field empty. You will be merged into groups after the registration has concluded.
• If you do have one or two people that you would like to form a group with, all members of your group must enter the exact same value in the “Group Token (optional)” field. You must choose a group token that is unlikely to be chosen by another group. We suggest picking the matriculation number of one (!) group member, calculating its SHA-256 value (echo '<matriculation number>' | sha256sum), and using the result as group token. But you do you.

Press “Register for the ABE exercises” to submit your data.

You have time until Thursday, 2024-04-11 10:00:00 UTC to register.

Now we wait

Shortly after the registration deadline, we will assemble the exercise groups, create GitLab accounts for you, and throw you onto the lecture mailing list. You should get a bunch of notification emails once we are done. Once you received them, you can continue with the next step.

Open the “Account was created for you” email, click the link to set your password, and set your password.

If it’s Friday 2024-04-12 and you haven’t received anything yet, please write us an email to placeholder@example.com and ask what’s up with that. Please tell us the data (name, email address, …) you registered with, so we have some clues to start our investigation with 🙃

GitLab access

You will get all exercise tasks from our GitLab instance.

Our GitLab ist located at https://git.abe.seclab-bonn.de.

Log in with your email address as username and the password that you just set.

Do you already have an SSH key on your computer? If not, you can create one by running ssh-keygen -a 100 -t ed25519 and keeping the default suggestions. Lazy people leave the passphrase blank. You can then find your public key at ~/.ssh/id_ed25519.pub.

Add your public SSH key to the GitLab at https://git.abe.seclab-bonn.de/-/profile/keys.

Since our GitLab uses a custom SSH port for technical reasons, you have to tell your system how to access it properly.

Create the file ~/.ssh/config or edit it, and add the following lines:

1
2

Host git.abe.seclab-bonn.de
    Port 50315

You can run ssh git@git.abe.seclab-bonn.de to check whether it worked. The first time you connect, it will ask you to confirm the identity of the server. You can check the fingerprints against the values given here: https://git.abe.seclab-bonn.de/help/instance_configuration

Your first task! Capture the flag.

In GitLab, you should see a project that belongs to you, which is called exercise_0.
Check it out! (as in: run git clone so you get a local copy). It mainly contains a file called README.md in which you find this text. Hello there!

Now for what you actually have to do:

Create a Python 3 script that reads the content of a file at /opt/flag and prints it to stdout.
The script file has to be called solution (yep, it must not have a file extension),
must contain a shebang as the first line (#! /usr/bin/env python3)
and must have been made executable (chmod +x solution).

If you did everything right, you should be able to execute the script by running ./solution in a shell, and get the contents of /opt/flag – provided you created that file on the machine you are running the script and wrote something into it.

Virtual Worlds

Computers are tricky, especially if you want to exploit their innermost workings. Therefore, you can use a Docker container to run your solution in an environment that is similar to the one that your solution will be graded in. Of course, you do not need to use Docker, but can also use drop-in replacements like Podman if you are brave enough.

1. install Docker² or Podman³ (of course you only have to do this once)

2. start the isolation container with a few important command line parameters by running the following inside the folder where your solution lies:

   1	docker run -it --rm --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -v $(pwd):/task:Z seclabbonn/isolation-container

   (replace docker with podman if you are using Podman)

This should in the end get you a root shell inside the container.

Your solution folder will be available under /task.

Navigate to your solution files by typing

1

cd /task [Enter]

and run your solution by typing

1

./solution [Enter]

Do you like what you see? Great! Seems like it is working.

You can exit the container again by typing

1

exit [Enter]

Time to submit your solution to get those juicy bonus points.

Submit

Create a commit that adds your solution script and push it to GitLab.

Some people prefer to use the command line to do that (git add ., git commit, *enter excellent commit message*, git push); some prefer to use graphical tools like Git Cola.

Checking In with the Oracle

Sometimes, getting to run code reliably is tricky. Well, most of the time, actually.

We have set up a Continuous Integration task on GitLab that will show you what happens if one attempts to execute your solution in our infrastructure. Every time you push to your repository, a magical an ordinary robot will carry your code away, run it, and bring back the output that it produced.

You can check the output by clicking the green checkmark icon that appears on your commit on GitLab once the check has concluded, and make sure it looks like you intended.

If instead you spot a red cross on your commit on GitLab, that means something probably went horribly wrong. Clicking the red cross should tell you what the issue was. Fix it, add, commit, and push again, and hope that you get a green checkmark (and the output you desire) this time!

And if you are certain that something went wrong and it is absolutely not your fault, please complain via email.

…and profit!

If you did everything right, you will get two juicy bonus points!

After grading, you can have a look in the file called tutor-notes.md to see how many points you received and which encouraging comments your tutor left for you. If you don’t like what you see, you can even complain! Arts and sciences, research and teaching shall be free, after all.

So that is the end of your journey. You have now learned all the basics you need to successfully work on future tasks and gain points towards admission to the exam.

Task 1 - Python Programming With pwntools

Write a Python 3 script and use pwntools (link). Connect to abe.seclab-bonn.de on port 50301 with remote (link) and do the following:

• read the first string that always ends with an @ character (link)
• read the second string that always ends with a % character
• concatenate those two strings without the special characters @ and % and send them back to the server
• the server will send a string back to tell you that everything was correct -> check that string!

Task 2 - Intel x86 Assembler

Have a look at the following snippet of assembler code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

xor eax, eax
xor ebx, ebx
xor ecx, ecx
mov ecx, 1
mov eax, 1337
mov ebx, 42
add eax, ebx
shl ecx, 2
add eax, ecx
push rax
push rbx
pop rcx
pop rdx
lea eax, [ecx+eax]
lea ebx, [edx+ebx]

What are the final contents of eax, ebx, ecx, and edx? You can do this mentally (i.e. use your brain), compile it using nasm -felf64 or, if you want to get really fancy, use a tool like Unicorn Engine (link)

Task 3 - Understanding a C Program

Look at the following source code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

#define MAX_BUFFER_SIZE 1024

int main(int argc, char **argv)
{
        char buffer[MAX_BUFFER_SIZE] = {0};
        char *user_input = NULL;

        user_input = (char *)malloc(MAX_BUFFER_SIZE);
    
        if (!user_input)
        {
                printf("error allocating memory\n");
                exit(1);
        }
    
        memset(user_input, 0, MAX_BUFFER_SIZE);
    
        printf("Enter a string:\n");
    
        if (!scanf("%1023s", user_input))
        {
                printf("error reading user intput\n");
                free(user_input);
                exit(1);
        }
    
        strncpy(buffer, user_input, MAX_BUFFER_SIZE);
    
        puts("Your input was:\n");
    
        puts(buffer);
    
        free(user_input);
    
        return 0;
}

Answer the following questions:

1. What does the program do? Go through all the lines and try to understand (really understand) what it does.
2. Where in memory (memory segment) does buffer reside?
3. Where in memory (memory segment) do user_input and *user_input reside?
4. What values does buffer contain after the initialization?
5. What’s the difference between strcpy and strncpy? Is strncpy secure for all parameters?
6. What’s the difference between user_input, &user_input, and *user_input?
7. Look at the following assembler code:

   1 2 3 4 5 6 7

   ... mov edi,0x400 call 1070 <REDACTED@plt> mov QWORD PTR [rbp-0x8],rax cmp QWORD PTR [rbp-0x8],0x0 jne 1214 <main+0x7b> ...

   To which line(s) in the above source code might this snippet correspond? What is happening there?

Task 4 - Compilation of a C Program

Have a look at the following code in a file called main.c:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

  #include <stdio.h>
  
  int main(int argc, char **argv)
  {
  	if (argc != 2)
  	{
  		puts("I need one argument! Exiting...");
  		return 1;
  	}
  	
  	printf("Hello, %s!\n", argv[1]);
  	
  	return 0;
  }

Answer the following questions:

1. What is the output of gcc -E -P main.c? What can you see? Where is the main() function and what are the other lines?
2. Run gcc -S -masm=intel main.c and have a look at the newly created file main.s? Can you make sense of those lines? Is there a semantic connection between the C source code above? Can you find matching lines?
3. Run gcc -c main.c and also run file main.o for the newly created file main.o. What does the output tell you?
4. Run strings main.o, can you find anything related to the C source code?
5. Run xxd main.o, what do you see? What do the different columns mean? Why are there sometimes . (dots) in the rightmost column?
6. Run nm main.o, what do you see and more concrete what does U mean?

Have a look at the following code of a file called lib_hello.c:

1
2
3
4
5
6
7
8

  #include <stdio.h>
  
  void say_hello()
  {
  	puts("Hello, ABE student! Welcome to the lecture :)");
  
  	return;
  }

and this code called use_lib.c:

1
2
3
4
5
6
7
8

  extern void say_hello();
  
  int main()
  {
  	say_hello();
  
  	return 0;
  }

Answer the following questions:

7. Compile the code with gcc -shared -fPIC lib_hello.c -o libhello.so and run file libhello.so. What is the output and how is it different to the output of file main.o?
8. Run gcc -L$(pwd) -o use_lib use_lib.c -lhello and describe what the command does. What is the result? (if you want to run the final binary execute LD_LIBRARY_PATH=$(pwd) ./use_lib)
9. In the previous gcc command… what happens if you leave the -L$(pwd) flag and why? (maybe ld -lhello --verbose will help you)

Task 5 - Bug Hunting

Download the following (not so well written) source code and try to win the game! The goal is to make the program print out the flag (#define FLAG "FLAG{REDACTED}"). Connect to abe.seclab-bonn.de on port 50302 and get the flag! For example using nc abe.seclab-bonn.de 50302 or pwntools. Hint: Maybe your name has an impact on the fortune…