Sheet 3

General Information

All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck.

Please keep in mind that you should:

  • read the task description carefully

  • push all your changes to the GitLab repository (main branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

  • Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (see our blog post for details how to do that).

  • Check the CI-Pipeline status and output for any errors. If the Pipeline is green and the output looks right, your solution should be correct.

  • Make sure that the solution is an executable Python 3 script named solution (chmod +x ./solution) with a working shebang line at the top (i.e. #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … – just solution)

  • The final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task.

  • Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

    1
2
3
4
5
6
7
8

    def check_input_length(input_string):
    """
    The input string must have a length greater than 42 and must also be even.
    """
    length = len(input_string)

    # the final check happens here
    return (length > 42) and (length % 2 == 0)

    This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your solution files!

  • Make sure that your solution executes within 10 seconds (this is a hard timeout on our server).

  • Violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is 2024-06-02 22:00:00 UTC

Task 11 – Bytecode Interpreter (8 Points, individual Task)

Our development team released our first bytecode interpreter! Try to insert your own shellcode into the interpreter and print the flag by exploiting the vulnerability in the interpreter. Thereby your shellcode should spawn a shell which could be used to print the flag.

You must solve this task by only providing your bytecode to trigger the execution of your shellcode. The given solution template should help you.

Hints:

  • What do you know about off-by- bugs ?
  • Are there any callback functions and what is necessary to get them executed?

Task 12 – Minimal 1 (4 Points)

Looks like our ABE developer thinks that small binaries are harder to exploit. Prove them wrong by exploiting the minimal1 binary and making it print the flag!

Edit the provided solution template and explain your approach with meaningful comments.

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 13 – Minimalist (8 Points)

Looks like someone really wanted to save disk space. Are you still able to expoit the problem_srop binary and make it print the flag? Do it!

Once again, edit the provided solution template and explain your approach with meaningful comments.

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 14 – The Path to Pivot (8 Points)

Path translation produces notoriously many bugs. Good thing we are here to finally provide a good, reliable, safe and clean solution… In other words, please exploit the binary and print the flag.

Edit the provided solution template and explain your approach with meaningful comments!

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}

Task 15 – Time to Pivot! (8 Points)

Our company ABE inc. is migrating to SAP. Hooray! Unfortunately, this migration requires a secret value to authorize the data transfer to the new system. And the last accountant that knew this value is already retired.

Luckily, our secretary remembers that they hid a backup of this value somewhere deep in the HR system. Can you help us out?

Exploit the HR server and print the flag!

Edit the provided solution template and explain your approach with meaningful comments!

Hints:

  • This time the flag is well hidden in libhr.so.
  • When pivoting, you might find gadgets of the following form helpful:
    • add rsp, 0x?? ; <...> ; pop REG1; ret
    • lea rsp, [REG1] ; <...> ; ret
  • Or similarly:
    • add rsp, 0x??; <...>; pop rbp; ret
    • leave; ret

Your solution should execute like this:

1
2

./solution
FLAG{some letters here}
14 May 2024