Sheet 1

General Information

All solutions must be Python 3 scripts if not stated otherwise. If you are new to Python 3, have a look online, there are many good resources to get started such as this intro course, this advanced course, this blog post, and this slide deck.

Please keep in mind that you should:

• read the task description carefully

• push all your changes to the GitLab repository (main branch) before the deadline. Make also sure that the file permissions are set correctly! If you are new to Git check out this site!

• Make sure that your solution (also) runs in the CI environment (and not just your local machine); this also means that you must install all additional packages yourself from within the solution script (see our blog post for details how to do that).

• Check the CI-Pipeline status and output for any errors. If the Pipeline is green and the output looks right, your solution should be correct.

• Make sure that the solution is an executable Python 3 script named solution (chmod +x ./solution) with a working shebang line at the top (i.e. #!/usr/bin/env python3) so that it can be executed like this: ./solution (do not name your script solution.py, Solution, solution.sh, … – just solution)

• The final solution string, and only that, must be written to stdout and could be a number, a string, a string with the format FLAG{some letters and digits here}, depending on the specific task.

• Describe what you are doing using detailed comments for all your solution scripts! For example, use Docstrings (link) or inline comments:

  1 2 3 4 5 6 7 8

  def check_input_length(input_string): """ The input string must have a length greater than 42 and must also be even. """ length = len(input_string) # the final check happens here return (length > 42) and (length % 2 == 0)

  This helps us to find out if you really understood the task and you are not just brute-forcing some solutions. Please do not leave any commented code (i.e., code that is not needed to solve the task) in your solution files!

• Make sure that your solution executes within 10 seconds (this is a hard timeout on our server).

• Violating any of the points above might lead to reduced final points for the specific task!

The deadline for this sheet is 2025-04-27 22:00:00 UTC

Task 1 – Key Checker (4 Points, individual Task)

The program check_key needs a valid key as an input. Find out how to provide the key to the program and how the key checking algorithm works (use a reverse engineering tool such as IDA Pro, Ghidra, radare2, or Binary Ninja, or use a debugger, such as gdb).

The final task is to write a Python script which must be named solution, is able to generate valid keys, and prints 500 of them to stdout (unique keys, newline-separated, no other output), i.e., your solution could must look like this when executed:

1
2
3
4
5
6

./solution
key1
key2
key3
...
key500

where keyX is a valid key.

Note: Do not brute-force all solutions by executing the binary check_key and checking its output. This is a reverse engineering task.

Task 2 – In-memory decryption (8 Points)

Have a look at the extractme executable. It decrypts a flag during runtime. Please try to extract it.

The flag is in the format FLAG{some characters here}.

Edit the provided GDB Python script gdb_script.py to extract the flag. Only use vanilla gdb features, no extensions allowed here!

Then edit the solution script that calls GDB with your GDB Python script and prints the flag to stdout.

Hints:

• Try to find the flag with pwndbg first an then write the script.
• At no point in time, the flag is completely decrypted.
• You can capture the output of your gdb call and then extract the flag from that in your solution script
• If you need a refresher on Python gdb scripting, check out the docs

Your solution must look like:

1
2

$ ./solution
FLAG{some characters here}

Task 3 – CSV to Json (4 Points)

Have a look at the C code in broken.c! It is a utility to convert CSV (Comma-Separated Values) files into JSON (JavaScript Object Notation) files. Sadly, there still seem to be some bugs, as when we run ./broken test.csv test.json, the first line of each entry is corrupted.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

root@f264241bdee3:/io# gcc broken.c -Wall -o broken
root@f264241bdee3:/io# ./broken test.csv test.json
root@f264241bdee3:/io# cat test.json
[
 {
  "????U": "p???U",
  "last_name": "Doe",
  "email": "john.doe@fkie.fraunhofer.de",
  "gender": "Male",
  "age": "13"
 },
...

Your task is to review the code and identify 4 bugs (there may be more).

For each bug, please report in a text file named solution:

• Bug Location: The line(s) of code where the bug is present
• Expected Behaviour: What is the code supposed to do at this point if it were functioning correctly?
• Actual Behaviour: What does the code actually do in contrast?
• Reproduction Steps: Which input would trigger the bug? (optionally, you can upload a sample input file that triggers the bug to your repository. In this case, reference this file here.)
• Consequences: How does the bug affect the further execution of the executable? (e.g. crash, information leak, …)
• Suggested Fix: What would need to be modified in the code to fix the bug?

Hints:

• It may help running under ASAN gcc broken.c -g -fsanitize=address -o broken.
• It may also help to compile with another compiler to get other warnings.

Task 4 – Say my name! (4 Points)

We have reused code from an old authentication system. It seems like security was not that important in those days…

Find a vulnerability in the binary say_my_name and edit the provided solution template so that it:

1. Explains in a comment where the bug is located and how it can be fixed
2. Exploits the binary and prints (only) the flag

Your solution should execute like this:

1
2

$ ./solution
FLAG{some letters and digits}