Net 0
Write-up for: https://exploit.education/phoenix/net-zero/.
The challenge
This challenge serves as an intro to network programming and the obstacles you need to overcome in the context of exploit development, such as endianness and encoding.
The first step is to observe the behavior of the program by connecting to it. We can do this using netcat.
user@phoenix-amd64:~$ nc 127.0.0.1 64000
Welcome to phoenix/net-zero, brought to you by https://exploit.education
Please send '266126999' as a little endian, 32bit integer.
266126999
Close - you sent 825636402 instead
user@phoenix-amd64:~$ nc 127.0.0.1 64000
Welcome to phoenix/net-zero, brought to you by https://exploit.education
Please send '2539383473' as a little endian, 32bit integer.
AAAA
Close - you sent 1094795585 instead
There are two things to observe here.
- The number we are supposed to send is randomized
- The number is not parsed from a string but our input is directly interpreted as a 32-bit integer (AAAA = 0x41414141 = 1094795585)
Now we know what we need to implement:
- Connect to the socket
- Read two lines
- Parse the required number from the second line
- Send the number as a little-endian integer
- Read the result line
And here’s the implementation in Python:
import struct
import socket
HOST = "127.0.0.1"
PORT = 64000
def read_line_from_sock(socket):
buf = ""
while True:
b = s.recv(1)
if b == b'\n':
break
buf += b.decode("ascii")
return buf
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((HOST, PORT))
print(read_line_from_sock(s))
query = read_line_from_sock(s)
print(query)
num_to_send = str(query).split()[2].split("'")[1]
s.sendall(struct.pack('<I', int(num_to_send)))
print(read_line_from_sock(s))
We use struct.pack to convert the number into a little-endian byte array. Let’s see it in action:
user@phoenix-amd64:~$ python3 net0.py
Welcome to phoenix/net-zero, brought to you by https://exploit.education
Please send '3232984659' as a little endian, 32bit integer.
You have successfully passed this level, well done!
Done!