commit 3500dba57127a1d67d991cbb3098e28b0ae1b3f5
parent c2b19dd5c3f0a781b4acdfef8726d96f5593a657
Author: therealFIGBERT <figbertwelner@gmail.com>
Date: Sun, 5 Jan 2020 13:24:49 -0800
Write binaryaddition walkthrough, simplify binaryaddition script
Diffstat:
2 files changed, 74 insertions(+), 1 deletion(-)
diff --git a/linux_and_misc/scripts/binaryaddition.py b/linux_and_misc/scripts/binaryaddition.py
@@ -11,7 +11,6 @@ import struct
connection = remote("twinpeaks.cs.ucdavis.edu", 30002)
connection.recvuntil("Ready")
for i in range(0,50):
- connection.recvuntil("Question")
connection.recvuntil(" : ")
#Arrive at the first number and unpack it
num_one = struct.unpack("I", connection.recv(4))[0]
diff --git a/linux_and_misc/walkthroughs/binaryaddition.md b/linux_and_misc/walkthroughs/binaryaddition.md
@@ -0,0 +1,74 @@
+# binaryaddition Walkthrough
+
+[binaryaddition](https://twinpeaks.cs.ucdavis.edu/challenge?id=10) is very similar to the previous challenge, [addition](https://twinpeaks.cs.ucdavis.edu/challenge?id=9), but with a fun twist. For this challenge I continued to use the [pwntools library](https://github.com/Gallopsled/pwntools) for Python 3.
+
+Connecting to the server with `nc` spits out this response:
+```
+John just noticed his homework is due in 10 seconds!
+Help him finish his homework, which contains 50 additions.
+However, his teacher is a computer! Hal is giving his homework in binary.
+You have to answer the question in binary too.
+The format is "Question x : num + num", where num is a 4 byte little endian integer.
+Your answer should be another 4 byte little endian integer, with no newlines at the end.
+Ready? Go!
+Question 0 : ??k + :ڒB
+```
+This challenge is a little more complex! In addition to the slightly more complex format, the numbers are presented not as bytestrings, but as a "4 byte little endian integer"!
+
+Taking a look at the Python docs, we find the [struct](https://docs.python.org/3/library/struct.html) package, which can unpack [unsigned, 4-byte, ints](https://docs.python.org/3/library/struct.html#id1). *One additional note: the struct package returns tuples, so unpacking a number returns a tuple with the unpacked value at position 0.*
+
+In order to start the loop, we have to get rid of the introduction the server throws at us, introducing the new `recvuntil` function:
+```python
+from pwn import *
+import struct
+
+# Connecting to the server
+connection = remote("twinpeaks.cs.ucdavis.edu", 30002)
+connection.recvuntil("Ready")
+```
+The question format is `QUESTION_NUM : BYTE_INT + BYTE_INT`. Now, we just have to construct the loop:
+```python
+for i in range(0,50):
+ # Arrive at the start of the equation, and the first number
+ connection.recvuntil(" : ")
+ # Unpack the first number
+ num_one = struct.unpack("I", connection.recv(4))[0]
+ # Arrive at the second number
+ connection.recvuntil(" + ")
+ # Unpack the second number
+ num_two = struct.unpack("I", connection.recv(4))[0]
+ # Add the unpacked number
+ num_sum = num_one + num_two
+ # Pack the sum into another 4 byte number
+ num_sum = struct.pack("I", num_sum)
+ # Send the packed number back to the server
+ connection.send(num_sum)
+```
+And now we just have to run it! The finalized code looks like this:
+```python
+# A CTF exploit by FIGBERT
+# for UC Davis class ECS189M
+# twinpeaks.cs.ucdavis.net:30002
+# Category: Linux and miscellaneous
+# Challenge: binaryaddition
+# 04/01/2020
+from pwn import *
+import struct
+
+#Connecting to the server
+connection = remote("twinpeaks.cs.ucdavis.edu", 30002)
+connection.recvuntil("Ready")
+for i in range(0,50):
+ connection.recvuntil(" : ")
+ #Arrive at the first number and unpack it
+ num_one = struct.unpack("I", connection.recv(4))[0]
+ connection.recvuntil(" + ")
+ #Arrive at the second number and unpack it
+ num_two = struct.unpack("I", connection.recv(4))[0]
+ num_sum = num_one + num_two
+ print("Equation %d: %d + %d = %d"%(i+1, num_one, num_two, num_sum))
+ #Convert the added numbers and send them back
+ num_sum = struct.pack("I", num_sum)
+ connection.send(num_sum)
+connection.interactive()
+```
