ctf-resources/htb/hacktheboo2024/pwn/[Very Easy] Que onda/README.md

4.6 KiB
Raw Blame History

Que Onda

10 Septemeber 2024 / Document No. DYY.102.XX

Prepared By: w3th4nds

Challenge Author(s): w3th4nds

Difficulty: Very Easy

Classification: Official

Synopsis

Que Onda is a very easy difficulty challenge that features installing basic tools, interacting with netcat and basic python scripting.

Description

Que onda! Welcome to the festival of Pwn! This is a small guide to help you continue your journey, follow the instructions in README.txt

Skills Required

  • None

Skills Learned

  • Interaction with nc and pwntools.

Enumeration

We are given some files, including README.txt.

$ cat README.txt
🎃 h3ll0, fr13nd5! 🎃

This challenge is designed to help you get comfortable interacting with a remote instance, while also guiding you through the installation of essential tools. If you encounter any issues or notice anything missing, feel free to reach out to me via dm (#w3th4nds).

* To install the tools, run "./tools.sh" in your terminal.
* To interact with the challenge, spawn an instance and then use the command "nc <IP> <PORT>" e.g. "nc 127.0.0.1 1337"
* To run the solver script, run "./solver.py <IP> <PORT>" or "python3 solver.py <IP> <PORT>" e.g. "python3 solver 127.0.0.1 1337"
* This "HTB{f4ke_fl4g_4_t35t1ng}" is not the flag, just a placeholder.
* After that, you simply send the string "flag" to get the flag.
* "glibc" folder is not needed to exploit the challenge, it's given so you can run the challenge. 
* To run the challenge locally, enter in your terminal "./que_onda".

🎃 h4ppy h4ck1n6! 🎃

There are some basic instructions here on how to proceed with the next challenges and some helping tools to install.

$ cat tools.sh
#!/bin/bash

clear 
os=$(lsb_release -i  | cut -d':' -f2 | tr -d '[:space:]')
ver=$(lsb_release -d | cut -d':' -f2 | tr -d '[:space:]')

red="\e[1;32m"
green="\e[3;32m"
blue="\e[1;94m"
reset="\e[0m"

echo -ne "[!] This script will install${green} pwntools${reset},${green} gdb${reset}-${green}gef${reset} and ${green}python3-pip${reset} in your system, do you want to proceed? (Y/n): " 
read ans
echo -ne "${reset}"

if [[ "$ans" == "" || "$ans" == "y" || "$ans" == "Y" ]]; then
  # Install gdb - gef - python3-pip
  echo -e "\n${blue}[*] $os ver: ${green}${ver}${reset}"
  echo -e "\n${blue}[*] Installing${green} pwntools${blue}${reset}..\n"
  sudo apt update -y
  sudo apt install gdb python3-pip -y
  bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

  # Install pwntools
  if [[ "$ver" == "24.0"* && "$os" == "Ububntu" ]]; then
    python3 -m pip install --upgrade pip --break-system-packages && python3 -m pip install --upgrade pwntools --break-system-packages
  else
    python3 -m pip install --upgrade pip && python3 -m pip install --upgrade pwntools
  fi
  echo -e "${green}[+] Done!${reset}"
fi

This script will install python3-pip, pwntools and gdb-gef.

First interaction

First of all, we start with a checksec:

pwndbg> checksec
Arch: amd64
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
RUNPATH:  b'./glibc/'

Protections 🛡️

As we can see:

Protection Enabled Usage
Canary Prevents Buffer Overflows
NX Disables code execution on stack
PIE Randomizes the base address of the binary
RelRO Full Makes some binary sections read-only

The program's interface

The challenge is pretty much what it says. If we send "flag", we get the flag.

Solution

#!/usr/bin/python3
from pwn import *
import warnings
import os
warnings.filterwarnings('ignore')
context.log_level = 'critical'

fname = './que_onda' # Specifiy the binary name 

LOCAL = False        # Change it to "True" to run the solver locally

os.system('clear')   # Clear screen

if LOCAL:
  print('Running solver locally..\n')
  r    = process(fname)   # Starting local process
else:
  IP   = str(sys.argv[1]) if len(sys.argv) >= 2 else '0.0.0.0'
  PORT = int(sys.argv[2]) if len(sys.argv) >= 3 else 1337
  r    = remote(IP, PORT) # Opens a remote connection to the specified <IP> and <PORT> 
  print(f'Running solver remotely at {IP} {PORT}\n')

r.sendline('flag') # Sends the string "flag" to the remote instance

print(f'Flag --> {r.recvline_contains(b"HTB")[2:].strip().decode()}\n') # Reads the flag