Playing with programs

Throughout your security adventure, you will need to think outside the box and interact with a lot of different software. This module will walk you through quite a few scenarios of such thinking and such interacting. As you embark on this journey, remember: this is only the beginning.

This dojo errs heavily on the side of comprehensiveness. However, many students enter the dojo already knowing the intricacies of, for example, scripting interactions. Some others may be fast learners, and though some review of these concepts are good for these hackers, they might not need all nearly-200 challenges in this dojo to drive home the point. For this beginning of your journey, feel free to meander, dig in where you feel compelled to do so, and move on when you are sated.

Dealing with Data

Computer software communicates with each other by exchanged variously-formatted data via various communication channels. Learning about this concurrently with learning about security concepts can be overwhelming, and thus, this module tries to prepare you for the latter by covering the former.

In this module, you will learn the different ways data is reasoned about by programs. In the future, this will help you carefully craft that data to break the recipient program’s security!

what’s the password?

use file to print the information of program /challenge/runme , then we can find out that this file is a ASCII text executable file with Python.

1
2
$ file /challenge/runme 
/challenge/runme: setuid a /usr/bin/exec-suid -- /bin/python3 -I script, ASCII text executable

According to this information, we can use cat to read this file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ cat /challenge/runme 
#!/usr/bin/exec-suid -- /bin/python3 -I

import sys


print("Enter the password:")
entered_password = sys.stdin.buffer.read1().strip()
correct_password = b"mlsgeypk"

print(f"Read älen(entered_password)å bytes.")


if entered_password == correct_password:
print("Congrats! Here is your flag:")
print(open("/flag").read().strip())
else:
print("Incorrect!")
sys.exit(1)

Based on the information above, the corrcet_password is mlsgeypk which is expected by the program.

1
2
3
4
5
6
$ /challenge/runme 
Enter the password:
mlsgeypk
Read 8 bytes.
Congrats! Here is your flag:
pwn.college{ktKWtSkIC9xjMunZFPKyqgFyYkP.dlDN2QTMsMzN4EzW}

… and again!

same as the above one.

newline trouble

1
$ echo -n "rhufyrrl" | /challenge/runme

reasoning about files

1
$ echo -n "mgisghaz" > ryoy && cat ryoy | /challenge/runme

specifying filenames

1
$ echo -n "pqezyduw" > k1ose && cat k1ose | /challenge/runme k1ose

binary and hex encoding

1
$ echo -n "f8" | /challenge/runme

more hex

1
$ echo -n "f6c1dcedb5d8a8da" | /challenge/runme

decoding hex

1
$ echo -e -n "\xc9\x94\xbe\x86\xfd\xbf\xc5\xa5" | /challenge/runme

decoding practice

use python to transform binary to hex:

1
2
3
4
5
6
7
$ python
Python 3.12.8 (main, Dec 3 2024, 18:42:41) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> s = "1111000111000000110001001100101010000110100000111000110010101000"
>>> a = int.to_bytes(int(s, 2), length=len(s) // 8, byteorder="big")
>>> a
b'\xf1\xc0\xc4\xca\x86\x83\x8c\xa8'

then use echo :

1
$ echo -e -n "\xf1\xc0\xc4\xca\x86\x83\x8c\xa8"  | /challenge/runme

encoding practice