Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Related links

1. Hacker Techniques Tools And Incident Handling
2. Pentest Tools Website Vulnerability
3. Hacking Tools Free Download
4. Pentest Tools
5. What Is Hacking Tools
6. Hack Tools For Mac
7. Hacker Tools Windows
8. Hack Tool Apk No Root
9. Hacking Tools 2019
10. Pentest Tools Subdomain
11. What Are Hacking Tools
12. World No 1 Hacker Software
13. Hacker Tools Windows
14. Best Hacking Tools 2020
15. Black Hat Hacker Tools
16. Black Hat Hacker Tools
17. Hack Tools Pc
18. What Is Hacking Tools
19. Hacking Tools For Games
20. Hackrf Tools
21. Hacking Tools For Games
22. Hacking Tools Windows 10
23. Install Pentest Tools Ubuntu
24. Ethical Hacker Tools
25. Hacker Tools Windows
26. Hacks And Tools
27. Hacking Tools Download
28. Top Pentest Tools
29. Hacker Tools
30. Hack Tools
31. Pentest Tools Android
32. Nsa Hack Tools Download
33. Pentest Tools Android
34. Hak5 Tools
35. How To Make Hacking Tools
36. Pentest Tools Github
37. Hacking Tools Windows
38. Hacking Tools Windows 10
39. Pentest Tools
40. Blackhat Hacker Tools
41. Hacking Tools Github
42. Physical Pentest Tools
43. Pentest Tools
44. Hacking Tools Windows 10
45. Wifi Hacker Tools For Windows
46. Termux Hacking Tools 2019
47. Hacker Tools 2019
48. Hacking Tools Pc
49. Best Pentesting Tools 2018
50. Hacking Tools For Windows 7
51. Hacking Tools 2019
52. Hacking Tools Kit
53. Hacks And Tools
54. Ethical Hacker Tools
55. Hack Rom Tools
56. What Are Hacking Tools
57. Hacker Tools For Pc
58. Pentest Tools Open Source
59. Hacker Tools Apk
60. Pentest Tools For Mac
61. Hacker Tools Free Download
62. Pentest Tools Android
63. Hackrf Tools
64. Pentest Tools Apk
65. Hacking Tools And Software
66. How To Install Pentest Tools In Ubuntu
67. Hacker Tools For Pc
68. Pentest Tools For Ubuntu
69. Growth Hacker Tools
70. Hacker Tools For Windows
71. Hacker
72. What Is Hacking Tools
73. Hak5 Tools
74. Pentest Tools Apk
75. Hacker Tools Github
76. Hacking Tools
77. Hacking Tools Free Download
78. Hacker Tools Free
79. Hacker Tools Mac
80. Hacker Tools 2019
81. Hack Tools Download
82. Hack And Tools
83. New Hacker Tools
84. Hacker
85. Hacking Tools Windows
86. Growth Hacker Tools
87. Hacker Security Tools
88. Pentest Tools
89. New Hacker Tools
90. Pentest Tools Nmap
91. Hack Tools Download
92. Hacking Tools Online
93. Hacking Tools Github
94. Hacking Tools For Windows
95. Beginner Hacker Tools
96. Nsa Hack Tools
97. What Are Hacking Tools
98. Pentest Tools Nmap
99. Hacker Tools
100. Hacker Tools Windows
101. Hack Rom Tools
102. Pentest Tools Apk
103. Hacker Hardware Tools
104. Hacking Tools For Kali Linux
105. Hacking Tools Hardware
106. Pentest Tools Apk
107. Hacking Tools Github
108. Hacker Tools Free Download
109. Pentest Box Tools Download
110. Hackrf Tools
111. Hacker
112. Pentest Reporting Tools
113. Kik Hack Tools
114. Nsa Hacker Tools
115. Hacking Tools Hardware
116. How To Hack
117. Beginner Hacker Tools
118. Tools For Hacker
119. Pentest Tools For Mac
120. Pentest Tools Website
121. Android Hack Tools Github
122. Hacking Tools 2019
123. Hacking Tools 2020
124. Hack Tools For Mac
125. Hacker
126. Kik Hack Tools
127. Hack Tools Pc
128. Best Pentesting Tools 2018
129. Hacker Security Tools
130. Pentest Tools Download
131. World No 1 Hacker Software
132. Hacks And Tools
133. Pentest Tools Find Subdomains
134. Hacking Tools Name
135. Hack Tools For Mac
136. Pentest Tools List
137. Install Pentest Tools Ubuntu
138. Pentest Box Tools Download
139. Pentest Tools Url Fuzzer
140. Nsa Hacker Tools
141. Hack Tools Mac
142. Hack Rom Tools
143. Hacking Tools For Windows 7
144. Hacker Tools Online
145. Hack Tools Pc
146. Hacking Tools Name
147. Beginner Hacker Tools
148. Pentest Tools For Android
149. How To Hack
150. Kik Hack Tools
151. Hacking Tools Name
152. Pentest Recon Tools
153. Hack Rom Tools
154. Tools 4 Hack
155. Install Pentest Tools Ubuntu
156. Hacker Tools Linux
157. Hack Tools Online
158. Pentest Tools Alternative
159. Hacking Tools For Windows Free Download
160. Hack Tools Download
161. Hacking Apps
162. Best Hacking Tools 2019
163. Hacking Tools Windows
164. Hacker Tools List
165. Hacking Tools For Windows
166. Easy Hack Tools
167. Hak5 Tools
168. Hacker Tools For Ios
169. Hacker Tools Free
170. How To Make Hacking Tools
171. Pentest Tools For Ubuntu
172. Hack Tools Online
173. Hacker Tools 2020
174. Hacking Tools Windows
175. Hacker Tools 2019