|
at least poke some holes in it before all the mealworms die
|
# ? Jan 12, 2017 19:43 |
|
|
# ? May 18, 2024 08:17 |
|
did you try searching for dead beeves
|
# ? Jan 12, 2017 23:27 |
|
sorry guys, I opened the box on monday but something always been coming up when I start writing the post
|
# ? Jan 13, 2017 02:56 |
|
here's what's in the web server in the box: https://i.bf1c.us/pinhead2/ incremental game: https://i.bf1c.us/pinhead2/post-incremental/ level2 binaries: these were a pain because qemu-i386-static wanted a statically linked binary but angr wanted a smaller binary, so i made both: https://i.bf1c.us/pinhead2/level2.angrable https://i.bf1c.us/pinhead2/level2.runnable in retrospect i could've just done the runnable compile for arm but ¯\_(ツ)_/¯ source is at https://github.com/bkerley/pinhead2 , ignore level1, angr and rust weren't easy to make work and i wasn't getting paid to work on this heh
|
# ? Jan 13, 2017 17:06 |
|
Symbolic Butt posted:maybe the right way to go about it is to actually, you know, debug the binary... but gently caress the police <chapter 3 the end> so yeah that's what I decided to do, looking at the binary with binary ninja is pretty neat but guess what I'm terribly lazy at reading assembly one place that I looked carefully was this rodata section, this is where a lot of the constant data is placed in the binary, as you can see by the strings... but there isn't anything that looks like a password or the right port here the thing about programming is... it's way easier to understand code actually running it this is a 32-bit Linux executable compiled on Ubuntu so let's start up a vagrant machine for this gdb is kind of a clunky tool... pretty much everything I know about it I learned at this one video at a Coursera course where the TA made a tutorial for it: https://courses.cs.washington.edu/courses/cse351/videos/tutorials/gdb.mp4 a lasting side-effect of this education is how every time I open gdb I think "ah... put together by a mad man I see" quote:ubuntu@ubuntu-xenial:/vagrant$ gdb level2 so this is the first thing that I tried: I cheated the execution, I jumped to the instruction pointer where it displays the congratulations message. this didn't work, it didn't display the right port, it displayed garbage instead. and like cocoa crispies said, it's just not a matter of knowing which is the right port, the puzzle box has to open that port... so no cheating. I decided to step through the instructions and try to understand how it works like suffix described the binary has those 12 check subroutines. the first one checks for a value... because I'm bad at reading assembly I decided to guess this value. gdb can run scripts... it kind of looks like shell script but not really? well, judging the language design of gdb scripting is besides the point. I decided to write a python script that loops over every 8 bit value and write a gdb script and runs it with gdb and see if it didn't exit with an error. this kind of tacky roundabout poo poo is called meta-programming, I used to think it was supposed to be some fairly cool poo poo but not really... it does sound cool though and I feel like I tricked a boss of mine once with this terminology, he thought I was hot poo poo so anyway I found the value, it was 86... at this point I realized that the code wasn't doing anything too fancy, every value that each check subroutine checks... is a character from the input in sequence! I generalized this idea a bit and the result was this script: https://gist.github.com/mcsalgado/5d255e6635f74f451d10bff4a32ff9be it keeps trying for every check my script is bad and it didn't find the last character but having "TheRealQuai" it's pretty easy to guess the last character quote:$ telnet 10.219.2.1 1338 so... did it work? yes! so the mystery is over, besides the raspberry pi and the puzzle box mechanism this is what I found inside the puzzle box: Nice! I'll frame this medal and display it to inform everyone that I'm a true cultivated hacker thanks Cocoa Crispies for giving me this opportunity to learn more, I never heard of angr before but I'm definitely reserving some time to learn more about it, it definitely seems way better than this gdb script poo poo approach of mine. also thanks for the guys itt and sorry again for taking so long to write this up Symbolic Butt fucked around with this message at 06:20 on Jan 16, 2017 |
# ? Jan 16, 2017 06:15 |
|
Cocoa Crispies posted:source is at https://github.com/bkerley/pinhead2 , ignore level1, angr and rust weren't easy to make work and i wasn't getting paid to work on this heh lol now that I see the c code it's so much easier to make sense of the assembly
|
# ? Jan 16, 2017 06:17 |
|
Symbolic Butt posted:lol now that I see the c code it's so much easier to make sense of the assembly one of the little status bar doodads in binja lets you enable "low level IL" which I find easier to read than intel or AT&T style asm
|
# ? Jan 16, 2017 06:28 |
|
wow this insanely owns
|
# ? Jan 16, 2017 06:50 |
|
That owns. Hmm I should write up how I did it without brute forcing.
|
# ? Jan 16, 2017 09:22 |
|
great job
|
# ? Jan 16, 2017 10:06 |
|
spankmeister posted:That owns. Hmm I should write up how I did it without brute forcing. go ahead if it's not too much work. I like seeing how other people approach a problem btw I like how I was all "I'm not gonna cheat" but then I cheated anyway
|
# ? Jan 16, 2017 12:01 |
|
ya i gotta redo it a lil so i can make screenshots but i'll get it done
|
# ? Jan 16, 2017 12:07 |
|
Symbolic Butt posted:go ahead if it's not too much work. I like seeing how other people approach a problem lol writing a script to brute it isn't cheating, that's basically what angr does as i understand it
|
# ? Jan 16, 2017 18:36 |
|
Bloody posted:wow this insanely owns
|
# ? Jan 16, 2017 18:41 |
|
Symbolic Butt posted:go ahead if it's not too much work. I like seeing how other people approach a problem I still intend to do this but I'm not allowing myself yet, because I'm dodging some work for university right now and I am not allowing myself to do this writeup or any other kind of "work" until I finish my research stuff for the uni. So stay tuned.
|
# ? Jan 21, 2017 13:16 |
|
Awesome read! Thank you for sharing and nicely done. I hope to see more like this in the future.
|
# ? Jan 27, 2017 09:33 |
|
one thing that I just learned about binary ninja: Intermediate Language instead of reading the assembly you can view the code in a (somewhat) higher level language you click at Options > Low Level IL and yep, suddenly this became (somewhat) more readable! look at that je becoming an if, so neat and this works with every architecture that binary ninja supports, so I suppose if you get used to this IL you'll be able to read well in any architecture
|
# ? Jan 30, 2017 03:38 |
|
Symbolic Butt posted:one thing that I just learned about binary ninja: Intermediate Language https://blog.trailofbits.com/2017/01/31/breaking-down-binary-ninjas-low-level-il/ is about this, probably a good read
|
# ? Feb 3, 2017 02:07 |
|
i use r2. that intermediate representation looks like dog doo doo
|
# ? Feb 3, 2017 02:26 |
|
what is r2
|
# ? Feb 3, 2017 03:28 |
|
a robot, or "droid", in the star trek series
|
# ? Feb 3, 2017 04:21 |
|
CRIP EATIN BREAD posted:what is r2 radare2 is another disassembly tool, distinguished by its unusable ui even compared to ida pro
|
# ? Feb 3, 2017 16:37 |
|
Cocoa Crispies posted:radare2 is another disassembly tool, distinguished by its unusable ui even compared to ida pro and that's saying something holy moly I've had two trainings by the venerable Chris Eagle (he wrote THE book on Ida) and I still struggle.
|
# ? Feb 3, 2017 16:53 |
|
|
# ? May 18, 2024 08:17 |
|
gdb has a gui thing that i always forget about too.
|
# ? Feb 3, 2017 19:01 |