puzzle box 2 - pinhead2 edition - The Something Awful Forums

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > puzzle box 2 - pinhead2 edition

«‹›2 »

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

in 2015 migishu was the hapless victim of the puzzle box

it's 2016 and the puzzle box is back

Symbolic Butt posted:

geez I just got home!

a package was awaiting me

...

the puzzle box is a worthy adversary created by cocoa crispies and I'll need the help of yospos' great minds to open it

# ? Dec 30, 2016 01:13

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 18:02

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

<chapter 0>

I don't have my notebook available but I have this antenna thing here

indispensable gadget for every hacker

so yea now I can get into this machine using my desktop computer

ah yes, binary ninja

never heard of it before but I'm sure it's indispensable software for every hacker

let's look at the pictures

wait a minute.... let me examine the first picture... more carefully

alright!

# ? Dec 30, 2016 01:15

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

I really enjoyed the original puzzle box thread and am looking forward to this one

# ? Dec 30, 2016 01:52

suffix: Jul 27, 2013; Wheeee!

hell yeah

# ? Dec 30, 2016 02:12

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

do you have dremel?

# ? Dec 30, 2016 05:33

PyPy: Sep 13, 2004; by vyelkin

am I the first to suggest putting you dick in it this year?

Put you dick in it

# ? Dec 30, 2016 05:59

spankmeister: Jun 15, 2008

run metasploit on it op, its what the hax0rz use

# ? Dec 30, 2016 11:30

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

gently caress yes puzzle box

try:
' or 1 = 1

# ? Dec 30, 2016 16:26

spankmeister: Jun 15, 2008

gimme teh binary i wanna reverse something

i'm in the south of spain on holiday and bored out of my gourd

# ? Dec 30, 2016 16:39

Satellit3: Oct 21, 2008

spankmeister posted:

gimme teh binary i wanna reverse something

i'm in the south of spain on holiday and bored out of my gourd

go outdoors

# ? Dec 30, 2016 18:35

spankmeister: Jun 15, 2008

Satellit3 posted:

go outdoors

I did. There were no computers there? :confused:

# ? Dec 30, 2016 18:44

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

Migishu posted:

gently caress yes puzzle box

try:
' or 1 = 1

Sqli always good

# ? Dec 30, 2016 18:58

spankmeister: Jun 15, 2008

op make with the challenges already

# ? Dec 30, 2016 19:01

vodkat: Jun 30, 2012; cannot legally be sold as vodka

Did you try http://10.219.2.1/login.php

# ? Dec 30, 2016 19:16

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

vodkat posted:

Did you try http://10.219.2.1/lomarf.php

# ? Dec 30, 2016 20:25

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

spankmeister posted:

gimme teh binary i wanna reverse something

i'm in the south of spain on holiday and bored out of my gourd

hows he gonna get the binary

# ? Dec 30, 2016 22:19

KOTEX GOD OF BLOOD: Jul 7, 2012

vodkat posted:

Did you try http://10.219.2.1/lomarf.php

ooooooo

KOTEX GOD OF BLOOD fucked around with this message at 23:37 on Dec 30, 2016

# ? Dec 30, 2016 23:21

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

Captain Foo posted:

404 to these

I don't think the puzzle box is running php, iirc cocoa crispies is more of a ruby kind of person.

speaking of this let's check the http response headers

oh that's not very informative

# ? Dec 31, 2016 00:09

spankmeister: Jun 15, 2008

post the page source

# ? Dec 31, 2016 00:13

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

<chapter 1>

so let's check that url

lol

ok now it's time for some serious hacking

I press F12 and...

greenpos supremacy.

this is like one of those clicker games I think you buy posters to produce more posts and their respective upgrades to multiply those posts

but the point doesn't seem to be to maximize :justpost:

(notice what happened when I bought tori's upgrade here, that's so bullshit)

the true objective is to get to 219 posters

careful investiment is needed

I wonder if you can optimize the gameplay of this kind of game with a knapsack algorithm or something... I'm pretty sure someone figured this out

alright! reached 219 posters :yosbutt:

# ? Dec 31, 2016 00:21

spankmeister: Jun 15, 2008

Symbolic Butt posted:

<chapter 1>

so let's check that url

lol

ok now it's time for some serious hacking

I press F12 and...

greenpos supremacy.

this is like one of those clicker games I think you buy posters to produce more posts and their respective upgrades to multiply those posts

but the point doesn't seem to be to maximize

(notice what happened when I bought tori's upgrade here, that's so bullshit)

the true objective is to get to 219 posters

careful investiment is needed

I wonder if you can optimize the gameplay of this kind of game with a knapsack algorithm or something... I'm pretty sure someone figured this out

alright! reached 219 posters

not in it voted 1

# ? Dec 31, 2016 00:28

Migishu: Oct 22, 2005; I'll eat your fucking eyeballs if you're not careful; Grimey Drawer

oh my loving god :five:

# ? Dec 31, 2016 05:32

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

Migishu posted:

oh my loving god

Lmfao this is awesome, also Tori getting probed when you upgrade

# ? Dec 31, 2016 22:00

Moist von Lipwig: Oct 28, 2006; by FactsAreUseless; Tortured By Flan

lmaoooooo @ Tori probe

# ? Jan 1, 2017 12:11

suffix: Jul 27, 2013; Wheeee!

op did u do the netcat

# ? Jan 1, 2017 23:42

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

<chapter 2>

one important detail here is that I can't select the code :argh:

I pressed F12 again to bypass this bullshit

another thing is that if I keep playing the game and buying more posters, the code changes... this deserves further study for sure but for now let's send this one code

suffix posted:

op did u do the netcat

funny that you ask that... at this point I probably should've used netcat but I forgot about it

instead, because my brain is utterly broken by p-langing, I wrote this:

so let's see...

Nice!

I tried the url because I can't read well (or maybe I did understand it right?)

and it downloaded a binary file... huh.

trying to access http://10.219.2.1:1338/level2 gives me nothing but...

hmm... this is something...

so let's xxd that binary

code:

xxd level2 | less

see? now I get it, this is the binary that is running on 1338

the answer is an url to a specific port so...

code:

nc -z -v 10.219.2.1 1-65535 2>&1 | tee puzzle_box_ports.txt

I finally remembered netcat is a thing so I decided to scan every port to see if I find the one that would be the answer there :shepface:

this is running right now, it's gonna take a while

maybe the right way to go about it is to actually, you know, debug the binary... but gently caress the police

# ? Jan 2, 2017 00:24

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

spankmeister posted:

post the page source

I think cocoa crispies will eventually post the source of everything on his github like last year

anyway there isn't anything special in the pages source but here's the level2 binary https://mega.nz/#!ZFth3AhJ!vemcqVGu3LT-1xTUDMPB_m4DAsZW7NonAvxe93Ww1WE hosted by kim dotcom

# ? Jan 2, 2017 00:32

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

holy poo poo this binary ninja thing seems pretty cool :aaa:

# ? Jan 2, 2017 01:05

Captain Foo: May 11, 2004; we vibin'
we slidin'
we breathin'
we dyin'

This is super cool, also post about binary ninja because idk anything about it. How'd the port scan go?

# ? Jan 2, 2017 04:41

spankmeister: Jun 15, 2008

Symbolic Butt posted:

I think cocoa crispies will eventually post the source of everything on his github like last year

anyway there isn't anything special in the pages source but here's the level2 binary https://mega.nz/#!ZFth3AhJ!vemcqVGu3LT-1xTUDMPB_m4DAsZW7NonAvxe93Ww1WE hosted by kim dotcom

sw8. I'm about to leave for the day but will take a look tonight (europe time) if you haven;t figured it out by then I might be able to help.

# ? Jan 2, 2017 08:14

spankmeister: Jun 15, 2008

# ? Jan 2, 2017 09:33

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

Captain Foo posted:

This is super cool, also post about binary ninja because idk anything about it. How'd the port scan go?

I'll try to learn about binary ninja and then later post about what I could get from it

about the port scan... I went to sleep, woke up the next day and it wasn't finished

spankmeister posted:

sw8. I'm about to leave for the day but will take a look tonight (europe time) if you haven;t figured it out by then I might be able to help.

feel free to check it, this is the level where the puzzle box is definitely outwitting me, I'm absolute crap at ~~reverse engineering~~ computers

today at lunch I poked the binary with gdb and got "congratulations! http://10.219.2.1:8239/" but I'm not confident this isn't garbage... I'll try this port and post the details later.

# ? Jan 2, 2017 15:19

suffix: Jul 27, 2013; Wheeee!

Symbolic Butt posted:

I'll try to learn about binary ninja and then later post about what I could get from it

about the port scan... I went to sleep, woke up the next day and it wasn't finished

feel free to check it, this is the level where the puzzle box is definitely outwitting me, I'm absolute crap at ~~reverse engineering~~ computers

today at lunch I poked the binary with gdb and got "congratulations! http://10.219.2.1:8239/" but I'm not confident this isn't garbage... I'll try this port and post the details later.

if you really want to portscan nmap will do it quicker, though i wouldnt be surprised if it only starts after you put in the right password

here's an assembly listing:
http://lpaste.net/82099429439438848

it looks like it reads in a line of text, then calls the "check" function, which calls check_0 to check_11 on the corresponding bytes
each of the checks does some 64-bit additions/substractions on its byte, then checks that the result is a specific value with the xor/or combo (xor checks that the lower 32 bits is the exact value, or checks that the upper 32 bits are zero)
if a checks fails it immediately calls exit(-1)

# ? Jan 2, 2017 17:52

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

suffix posted:

if you really want to portscan nmap will do it quicker, though i wouldnt be surprised if it only starts after you put in the right password

confirm

# ? Jan 2, 2017 17:56

CRIP EATIN BREAD: Jun 24, 2002; Hey stop worrying bout my acting bitch, and worry about your WACK ass music. In the mean time... Eat a hot bowl of Dicks! Ice T; Soiled Meat

wow binary ninja is nice and has some nice quality of life features compared to IDA

# ? Jan 2, 2017 18:43

spankmeister: Jun 15, 2008

The password is: TheRealQuaid and the url becomes http://10.219.2.1:5186/

I'm a bit knackered now, but I'll promise to do a writeup.

# ? Jan 2, 2017 23:46

Symbolic Butt: Mar 22, 2009; (_!_); Buglord

spankmeister posted:

The password is: TheRealQuaid and the url becomes http://10.219.2.1:5186/

I'm a bit knackered now, but I'll promise to do a writeup.

oh yes I was able to do it too in the most roundabout way

here's a preview of how I did it: https://gist.github.com/mcsalgado/5d255e6635f74f451d10bff4a32ff9be

I guessed the last character though :ssh:

# ? Jan 3, 2017 03:35

Cocoa Crispies: Jul 20, 2001; Vehicular Manslaughter!; Pillbug

I was lazy:

code:


#!/usr/bin/env python

# docker run --rm -it -v `pwd`:/mnt angr/angr

import angr
import simuvex

proj = angr.Project('./level2', load_options={'auto_load_libs': False})
path_group = proj.factory.path_group(threads=32) # Doesn't really help to have more threads, but whatever.

path_group.explore(find=0x8048b0f,
                   avoid=(0x8048410))

print path_group.found[0].state.posix.dumps(0)
print path_group.found[0].state.posix.dumps(1)

# ? Jan 3, 2017 04:34

spankmeister: Jun 15, 2008

Symbolic Butt posted:

oh yes I was able to do it too in the most roundabout way

here's a preview of how I did it: https://gist.github.com/mcsalgado/5d255e6635f74f451d10bff4a32ff9be

I guessed the last character though

Ah yeah guessing it char by char would work... I got the chars it expects from the code.

Cocoa Crispies posted:

I was lazy:

code:


#!/usr/bin/env python

# docker run --rm -it -v `pwd`:/mnt angr/angr

import angr
import simuvex

proj = angr.Project('./level2', load_options={'auto_load_libs': False})
path_group = proj.factory.path_group(threads=32) # Doesn't really help to have more threads, but whatever.

path_group.explore(find=0x8048b0f,
                   avoid=(0x8048410))

print path_group.found[0].state.posix.dumps(0)
print path_group.found[0].state.posix.dumps(1)

Ah yes angr. I should really practice more with it. Especially in combination with z3.

# ? Jan 3, 2017 09:11

Adbot: ADBOT LOVES YOU

# ? Jun 8, 2024 18:02

Podima: Nov 4, 2009; by Fluffdaddy

what's in the BOX

# ? Jan 12, 2017 19:06

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > puzzle box 2 - pinhead2 edition

«‹›2 »