OverTheWire

semtex

Posted by rk700 on July 17, 2014
  • semtex0
    首先把文件下载下来: 
    $ nc 178.79.134.250 24001 > semtex

    然后每两个bytes打印一个:

import sys

fin = open('semtex1', 'rb')
fout = open('semtex1.out', 'wb')
while 1:
    bytes = fin.read(2)
    if not bytes:
        break
    fout.write(bytes[0])
  • semtex1
    用控制变量法之类的,发现加密的方法,然后解密:
a='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
c='HRXDZNWEAWWCP'
p=[None]*len(c)

p[12] = c[0]

p[11] = a[(a.index(c[5])+13)%26]

p[10] = a[(a.index(c[8])-19)%26]

p[9] = a[(a.index(c[3])-3)%26]

p[8] = a[(a.index(c[6])-15)%26]

p[7] = a[(a.index(c[1])-23)%26]

p[6] = a[(a.index(c[4])-13)%26]

p[5] = a[(a.index(c[11])-20)%26]

p[4] = a[(a.index(c[2])-12)%26]

p[3] = a[(a.index(c[9])-4)%26]

p[2] = a[(a.index(c[12])-11)%26]

p[1] = a[(a.index(c[7])-10)%26]

p[0] = a[(a.index(c[10])-10)%26]

print(''.join(p))

  • semtex2
    devils number是666

    通过提示,还是要用LD_PRELOAD。写一个c文件,定义函数geteuid,然后编译为库:

    $ gcc -m32 --shared -fPIC preload.c -o preload.so

    再定义LD_PRELOAD

  • semtex3
    相当于求一个线性方程组的整数解,用matlab穷举了,类似于 
    [i,j,k,m]=ndgrid(1:11);
n=find(i+j+k+m==11);
s=[i(n),j(n),k(n),m(n)]

    最后得到各个数字的个数为2, 3, 1, 1, 3, 1, 2, 0。输入得到shell

  • semtex4
    之前的一直都没有读的权限,到这里实在是不爽。在网上搜了下,找到一个用来dump内存的工具:xocopy。用它把semtex4转存下来,再用IDA分析。

    由于dump之后的程序比较大(估计是把相关的库,或者是准备的函数什么的都存了),打开比较慢。我们直接查找字符串password,进到了一个函数里。检查调用这个函数的函数,可以知道这个就是main。然后我们直接看汇编,得到密码会一个个字符打出来

    然后看了看其他人的解答,还是用ptrace修改eax的值来达到修改geteuid返回值的目的。由于geteuid的syscall是0xc9,当上一步eax是0xc9时,将eax改为6005。具体看http://0xbadc0de.org/blog/2013/11/17/wargame-semtex-4-solution/

  • semtex5
    这里要求从10个不同的ip连过去。可以用localhost.

    IPv4 network standards reserve the entire 127.0.0.0/8 address block for loopback purposes.

    我们用10个thread,每个收10bytes,与密码xor之后,附加上一个共同的10bytes的id。最后某一个连接读密码。

import socket
import threading

class semtex(threading.Thread):
    def __init__(self, lock, raddr, rport, tid, passwd, ansID):
        threading.Thread.__init__(self)
        self.tid = tid
        self.raddr = raddr
        self.rport = rport
        self.passwd = passwd
        self.ansID = ansID
        self.lock = lock
    def run(self):
        print("start %d" % self.tid)
        self.doWork()
        print("end %d" % self.tid)
    def doWork(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        laddr = "127.0.0.%d" % self.tid
        s.bind((laddr,0))
        s.connect((self.raddr,self.rport))
        data = s.recv(128)
        ans = [None]*20
        for i in range(len(self.passwd)):
            ans[i] = ord(data[i]) ^ ord(self.passwd[i])
        ans[10:] = list(ansID)
        s.send(bytearray(ans))
        data = s.recv(128)
        self.lock.acquire()
        print("recv: %s" % data)
        self.lock.release()

if __name__=="__main__":
    tidList = range(2,12)
    lock = threading.Lock()
    raddr = "127.0.0.1"
    rport = 24027
    passwd = "HELICOTRMA"
    ansID = "nabla12345"

    threads = []
    for tid in tidList:
        thread = semtex(lock, raddr, rport, tid, passwd, ansID)
        thread.start()
        threads.append(thread)

    for thread in threads:
        thread.join()
FEATURED TAGS
HTTP wechall PHP linux sql exploit crypto OverTheWire reverse how-to binary pwnable.kr ksnctf misc android webhacking.kr fuzzing