Sheet 2
General Information
All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck.
Please keep in mind that you should:
-
read the task description carefully
-
push
all your changes to the GitLab repository (main
branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site! -
Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the
solution
script (see our blog post for details how to do that). -
Check the CI-Pipeline status and output for any errors. If the Pipeline is green and the output looks right, your solution should be correct.
-
Make sure that the solution is an executable Python 3 script named
solution
(chmod +x ./solution
) with a working shebang line at the top (i.e.#!/usr/bin/env python3
) so that it can be executed like this:./solution
(do not name your scriptsolution.py
,Solution
,solution.sh
, … – justsolution
) -
The final solution string, and only that, must be written to
stdout
and could be a number, a string, a string with the formatFLAG{some letters and digits here}
, depending on the specific task. -
Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:
1 2 3 4 5 6 7 8
def check_input_length(input_string): """ The input string must have a length greater than 42 and must also be even. """ length = len(input_string) # the final check happens here return (length > 42) and (length % 2 == 0)
This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your
solution
files! -
Make sure that your
solution
executes within 10 seconds (this is a hard timeout on our server). -
Violating any of the points above might lead to reduced final points for the specific task!
The deadline for this sheet is 2024-05-12 22:00:00 UTC
Task 6 – Say my name! (4 Points)
We have reused code from an old authentication system. It seems like security was not that important in those days…
Find a vulnerability in the binary say_my_name
and edit the provided solution
template so that it:
- Explains in a comment where the bug is located and how it can be fixed
- Exploits the binary and prints (only) the flag
Your solution should execute like this:
|
|
Task 7 – Shellter your code! (4 Points)
We finally removed the unnecessary code that you might have found in the previous task!
Is our new binary shellter_your_code
still exploitable?
Again, edit the provided solution
template to make it exploit the binary and print (only) the flag!
Your solution should execute like this:
|
|
Task 8 – ROP ROP ROP ROP ROP (8 Points)
This time there are two binaries: vuln
and execute_me_with_rop
.
There is a simple vulnerability in vuln
.
Your task is to build a ROP chain that executes execute_me_with_rop
so that it prints the flag.
Use the execve
system call and prepare all necessary arguments accordingly.
You must not use pwntools' pwnlib.shellcraft
for this exercise!
You must also not just execve("/bin/sh -c './execute_me_with_rop arg1 arg2'")
for the execution of execute_me_with_rop
!
Once again, edit the provided solution
template and explain your approach with meaningful comments!
Hints:
- Try to write a C program first which executes
execute_me_with_rop
, to find out how to build your ROP chain:
|
|
-
Have a look at the Hello-World ROP chain in order to build your ROP chain
-
Remember how to set
argv**
Task 9 – Leak (8 Points, individual Task)
In this task we enabled all the nice exploit mitigations (see for yourself with checksec
1)!
Try to exploit the binary with information that you extract “forcefully” from the binary!
Once again, edit the provided solution
template to exploit the binary leak
and print (only) the flag!
Your solution should execute like this:
|
|
Task 10 – Forking Server (16 Points)
In this task we enabled all the nice exploit mitigations (see for yourself with checksec
)!
Try to exploit the forkingserver
with all the know-how you got!
Edit the provided solution
template to exploit the binary forkingserver
and print (only) the flag!
Hint: This time you have to brute-force, twice! 😎
Note: Because the brute-forcing takes some time, the execution limit for this task is not 10s, but 60s.
Your solution should execute like this:
|
|
-
https://github.com/slimm609/checksec.sh, available in the isolation-container, possibly also available from your local package manager ↩︎