ucdavis-ecs189m

[RADIOACTIVE] python exploits for uc davis class ecs189m
git clone git://git.figbert.com/ucdavis-ecs189m.git
Log | Files | Refs

commit fe00fee79957989d2b5a98c430610af31168aed4
parent c42133d0aad10c261c764cbc1169256741b45de8
Author: therealFIGBERT <figbertwelner@gmail.com>
Date:   Sat, 29 Feb 2020 16:00:34 -0800

:fire: Remove linux_and_misc walkthroughs

Diffstat:
Rlinux_and_misc/scripts/addition.py -> linux_and_misc/addition.py | 0
Rlinux_and_misc/scripts/binaryaddition.py -> linux_and_misc/binaryaddition.py | 0
Rlinux_and_misc/scripts/strcmp.py -> linux_and_misc/strcmp.py | 0
Dlinux_and_misc/walkthroughs/addition.md | 72------------------------------------------------------------------------
Dlinux_and_misc/walkthroughs/binaryaddition.md | 74--------------------------------------------------------------------------
Dlinux_and_misc/walkthroughs/privesc1.md | 27---------------------------
6 files changed, 0 insertions(+), 173 deletions(-)

diff --git a/linux_and_misc/scripts/addition.py b/linux_and_misc/addition.py diff --git a/linux_and_misc/scripts/binaryaddition.py b/linux_and_misc/binaryaddition.py diff --git a/linux_and_misc/scripts/strcmp.py b/linux_and_misc/strcmp.py diff --git a/linux_and_misc/walkthroughs/addition.md b/linux_and_misc/walkthroughs/addition.md @@ -1,72 +0,0 @@ -# addition Walkthrough - -[addition](https://twinpeaks.cs.ucdavis.edu/challenge?id=9) is the first challenge where we interact with a server from our own machine with code. For this challenge I used the [pwntools library](https://github.com/Gallopsled/pwntools) for Python 3. - -Connecting to the server with `nc` spits out this response: -``` -John just noticed his homework is due in 10 seconds! -Help him finish his homework, which contains 50 additions. -Question 0 : 114314390 + 798790408 -Your answer: -``` -The pwntools' library `remote` object gives us several options for filtering out the input we receive, including the `recvline_contains` function. The `recvline_contains` function ["[receives] lines until one line is found which contains at least one of items"](https://docs.pwntools.com/en/stable/tubes.html?highlight=recvline_contains#pwnlib.tubes.tube.tube.recvline_contains). Combined with the `recv` function, we can filter out all of the unnecessary text from the server output with some pretty simple code: -```python -from pwn import * - -# Connecting to the server -connection = remote("twinpeaks.cs.ucdavis.edu", 30001) -# Receive the line with the equation -equation_line = connection.recvline_contains("Question") -``` -At this stage, we have a program that capture the question and then terminates. We now need to filter the variable. Based on the output from the `nc` connection, we can see that each question is formatted like this: `[QUESTION NUMBER] : [NUMBER ONE] + [NUMBER TWO]`. Now knowing the formatting, we can isolate the numbers and add them: -```python -# Split the equation into a list of question parts -# Value: ["QUESTION NUMBER", "NUMBER ONE + NUMBER TWO"] -equation_line_list = equation_line.split(b":") -# Select only the equation from the list, and eliminate whitespace -# Value: "NUMBER ONE + NUMBER TWO" -equation = equation_line_list[1].strip() -# Split equation bytestring into list of bytestring numbers -# Value: ["NUMBER ONE", "NUMBER TWO"] -numbers_bytestring_list = equation.split(b"+") -# Convert list of bytestring numbers to list of ints -# Value: [NUMBER_ONE, NUMBER_TWO] -numbers_list = [int(item.strip()) for item in numbers_bytestring_list] -# Find the sum of the numbers -number_sum = sum(numbers_list) -``` -We could now attempt to send the line, but if we look at the formatting we can see that one thing is missing - the server prompts us for our answer before it accepts input! Thus, we have to receive output before sending it back: -```python -# Receive the input prompt -connection.recv() -# Send the sum back as a bytestring -connection.sendline(bytes("%d"%num_sum, "utf-8") -``` -Now, we just have to stick all that in a loop that runs 50 times (and simplify it, if you'd like). The finalized code looks like this: -```python -# A CTF exploit by FIGBERT -# for UC Davis class ECS189M -# twinpeaks.cs.ucdavis.net:30001 -# Category: Linux and miscellaneous -# Challenge: addition -# 04/01/2020 -from pwn import * - -# Connecting to the server -connection = remote("twinpeaks.cs.ucdavis.edu", 30001) -for i in range(0,50): - # Recieving the equation - equation = connection.recvline_contains("Question") - # Splitting the equation into the two numbers to add - numbers = [int(item.strip()) for item in ((equation.split(b":")[1]).strip()).split(b"+")] - num_one = numbers[0] - num_two = numbers[1] - # Adding the two numbers - num_sum = sum(numbers) - print("Equation %d: %d + %d = %d"%(i+1, num_one, num_two, num_sum)) - connection.recv() - # Sending the password - connection.sendline(bytes("%d"%num_sum, "utf-8")) -connection.recv() -connection.interactive() -``` diff --git a/linux_and_misc/walkthroughs/binaryaddition.md b/linux_and_misc/walkthroughs/binaryaddition.md @@ -1,74 +0,0 @@ -# binaryaddition Walkthrough - -[binaryaddition](https://twinpeaks.cs.ucdavis.edu/challenge?id=10) is very similar to the previous challenge, [addition](https://twinpeaks.cs.ucdavis.edu/challenge?id=9), but with a fun twist. For this challenge I continued to use the [pwntools library](https://github.com/Gallopsled/pwntools) for Python 3. - -Connecting to the server with `nc` spits out this response: -``` -John just noticed his homework is due in 10 seconds! -Help him finish his homework, which contains 50 additions. -However, his teacher is a computer! Hal is giving his homework in binary. -You have to answer the question in binary too. -The format is "Question x : num + num", where num is a 4 byte little endian integer. -Your answer should be another 4 byte little endian integer, with no newlines at the end. -Ready? Go! -Question 0 : ??k + :ڒB -``` -This challenge is a little more complex! In addition to the slightly more complex format, the numbers are presented not as bytestrings, but as a "4 byte little endian integer"! - -Taking a look at the Python docs, we find the [struct](https://docs.python.org/3/library/struct.html) package, which can unpack [unsigned, 4-byte, ints](https://docs.python.org/3/library/struct.html#id1). *One additional note: the struct package returns tuples, so unpacking a number returns a tuple with the unpacked value at position 0.* - -In order to start the loop, we have to get rid of the introduction the server throws at us, introducing the new `recvuntil` function: -```python -from pwn import * -import struct - -# Connecting to the server -connection = remote("twinpeaks.cs.ucdavis.edu", 30002) -connection.recvuntil("Ready") -``` -The question format is `QUESTION_NUM : BYTE_INT + BYTE_INT`. Now, we just have to construct the loop: -```python -for i in range(0,50): - # Arrive at the start of the equation, and the first number - connection.recvuntil(" : ") - # Unpack the first number - num_one = struct.unpack("I", connection.recv(4))[0] - # Arrive at the second number - connection.recvuntil(" + ") - # Unpack the second number - num_two = struct.unpack("I", connection.recv(4))[0] - # Add the unpacked number - num_sum = num_one + num_two - # Pack the sum into another 4 byte number - num_sum = struct.pack("I", num_sum) - # Send the packed number back to the server - connection.send(num_sum) -``` -And now we just have to run it! The finalized code looks like this: -```python -# A CTF exploit by FIGBERT -# for UC Davis class ECS189M -# twinpeaks.cs.ucdavis.net:30002 -# Category: Linux and miscellaneous -# Challenge: binaryaddition -# 04/01/2020 -from pwn import * -import struct - -# Connecting to the server -connection = remote("twinpeaks.cs.ucdavis.edu", 30002) -connection.recvuntil("Ready") -for i in range(0,50): - connection.recvuntil(" : ") - # Arrive at the first number and unpack it - num_one = struct.unpack("I", connection.recv(4))[0] - connection.recvuntil(" + ") - # Arrive at the second number and unpack it - num_two = struct.unpack("I", connection.recv(4))[0] - num_sum = num_one + num_two - print("Equation %d: %d + %d = %d"%(i+1, num_one, num_two, num_sum)) - # Convert the added numbers and send them back - num_sum = struct.pack("I", num_sum) - connection.send(num_sum) -connection.interactive() -``` diff --git a/linux_and_misc/walkthroughs/privesc1.md b/linux_and_misc/walkthroughs/privesc1.md @@ -1,27 +0,0 @@ -# privsec1 Walkthrough - -[privsec1](https://twinpeaks.cs.ucdavis.edu/challenge?id=11) is the first privilege escalation challenge that we are presented with, and requires a different set of skills than the previous challenges. Whereas previous challenges, like [addition](https://twinpeaks.cs.ucdavis.edu/challenge?id=9) and [binaryaddition](https://twinpeaks.cs.ucdavis.edu/challenge?id=10), relied almost only on our coding skills, this challenge introduces a new concept: situational awareness attacks. - -What is a situational awareness attack? A situational awareness attack is, according to [tokyoneon](https://twitter.com/tokyoneon_) on [Null Byte](https://null-byte.wonderhowto.com/how-to/hacking-macos-perform-situational-awareness-attacks-part-1-using-system-profiler-arp-0186422/): ->the act of gathering hardware, software, and network information about the target. This information can be used to further compromise the target, their online accounts, and pivot to other devices and services within the network. - -## Intelligence Gathering -An initial assessment of our surroundings on connection reveals the server is running Debian GNU/Linux 10 (buster). A quick check of the flag, located at `/home/admin/flag`, reveals some valuable information. Trying to read the file with `cat` spits out this error: `cat: /home/admin/flag: Permission denied`. Running `ls -la /home/admin | grep flag` shows us that the permissions are set at 440 – only the file's owner has read access. - -This information gives us a pretty good idea of our situation and goal: -* Situation - * the `admin` user has read-only access to the flag - * our current user, `user`, has no access to the flag -* Goal - * impersonate `admin` and read the file - -## Execution -How do we impersonate a user? `sudo`! One problem: when we run `sudo cat /home/admin/flag`, we're prompted for a password. The only password we know for the account – `tucking_bacteria_litter_cheek_scrutiny` – doesn't work, and we're locked out after three attempts. As with most privilidge escalation attacks, we now have to look toward misconfigured permissions. - -Executables on linux are often in the `bin` folders, so the first place we should look is `/bin`. A quick `ls` of `/bin` reveals nothing interesting, so we can move on. - -After looking around a bit, we find a second folder of executables, at `/usr/bin`. Running `ls` and scanning through, we've hit the jackpot: A `sudo` executable. Checking the permissions by running `ls -la | grep sudo`, we see: `-rwsr-xr-x`. Not only is the file executable by everyone, it's also [sticky bit (suid) enabled](https://www.linuxquestions.org/questions/linux-newbie-8/what-is-s-instead-of-x-in-the-file-permission-when-i-look-at-usr-bin-chsh-223386/), which means that the file "will be executed with root permissions by all users." - -All that's left is to run the executable with the proper input. A quick check of `sudo -h` spits out the help page, and a scan of that reveals the structure needed. Lastly, we run the command: `./sudo -u admin -s cat /home/admin/flag`. Just like that, we have the flag: - -> ECS{5UD0_M0R3_L1K3_5UD0N3_685C320822C764B02E0E180256EF364A}