Protostar exploits Net1

Introduction

Protostar exploits are a cool bunch of ctf type exercises that focus on Linux  binary exploits that progressively get harder. A ISO containing the OS and challenges can be downloaded.

The website with all information and downloads is at https://exploit-exercises.com/protostar/

Challenge

Test run

net1 is a network daemon that listens on port 2998. The iso image automatically starts the daemon for you. If we list the running processes you should see it.

root@protostar:/home/user# ps ax|grep net1
27882 ? Ss 0:00 /opt/protostar/bin/net1
27890 pts/1 S+ 0:00 grep net1
root@protostar:/home/user# netstat -nap|grep net1
tcp 0 0 0.0.0.0:2998 0.0.0.0:* LISTEN 27882/net1 
user@protostar:~$ nc -vvvv localhost 2998
localhost.localdomain [127.0.0.1] 2998 (?) open
???lAAAA
you didn't send the data properly
 sent 5, rcvd 38

Exploit

We need to connect to the network daemon, read the random bytes sent to us, convert to little endian and  send back the equivalent ascii representation. Success will be indicated with the message ‘you correctly sent the data’.

#include "../common/common.c"

#define NAME "net1"
#define UID 998
#define GID 998
#define PORT 2998

void run()
{
 char buf[12];
 char fub[12];
 char *q;

 unsigned int wanted;

 wanted = random();

 sprintf(fub, "%d", wanted);

 if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) {
 errx(1, ":(\n");
 }

 if(fgets(buf, sizeof(buf)-1, stdin) == NULL) {
 errx(1, ":(\n");
 }

 q = strchr(buf, '\r'); if(q) *q = 0;
 q = strchr(buf, '\n'); if(q) *q = 0;

 if(strcmp(fub, buf) == 0) {
 printf("you correctly sent the data\n");
 } else {
 printf("you didn't send the data properly\n");
 }
}

int main(int argc, char **argv, char **envp)
{
 int fd;
 char *username;

 /* Run the process as a daemon */
 background_process(NAME, UID, GID); 
 
 /* Wait for socket activity and return */
 fd = serve_forever(PORT);

 /* Set the client socket to STDIN, STDOUT, and STDERR */
 set_io(fd);

 /* Don't do this :> */
 srandom(time(NULL));

 run();
}

I found that scripting my challenge helped me have greater control over reading the challenge bytes from the server and converting to little endian ready for sending back to the server as integer string.

my code can be found here https://github.com/muttiopenbts/protostar/blob/master/protostar-net1.py

"""
This code is for protostar net1 challange.
Will connect to net1 network daemon, read the bytes sent from the server, convert to little endian then decimal and send back to server.
"""
import socket
import sys
import re
import struct

try:
 #create an AF_INET, STREAM socket (TCP)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
except socket.error, msg:
    print 'Failed to create socket. Error code: ' + str(msg[0]) + ' , Error message : ' + msg[1]
    sys.exit()

print 'Socket Created'

host = sys.argv[1]
port = sys.argv[2]

try:
    remote_ip = socket.gethostbyname( host )

except socket.gaierror:
 #could not resolve
    print 'Hostname could not be resolved. Exiting'
    sys.exit()

print 'Ip address of ' + host + ' is ' + remote_ip

#Connect to remote server
s.connect((remote_ip, int(port)))

print 'Socket Connected to ' + host + ' on ip ' + remote_ip

try:
 #Now receive data
    recv = s.recv(4096)
    print "Received: %s" %recv

    #Set the whole string
    hexval = recv.encode('hex')
    rev_bytes = struct.unpack("<L", recv)[0]#reverse bytes received for little endian
    print "challenge, send back hex 0x%s in little endian order %s then decimal %s" %(hexval,hex(rev_bytes),rev_bytes)
    s.sendall(str(rev_bytes)+"\n") 

    recv = s.recv(4096)
    print recv
except socket.error:
 #Send failed
    print 'Send failed'
    sys.exit()

print 'Done.'

Test run

user@protostar:~$ python protostar-net1.py localhost 2998
Socket Created
Ip address of localhost is 127.0.0.1
Socket Connected to localhost on ip 127.0.0.1
Received: ?#?6
challenge, send back hex 0xbd23bb36 in little endian order 0x36bb23bd then decimal 918234045
you correctly sent the data
Done.

Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s