Phoenix - Net One

1 minute read

#include <err.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  uint32_t i;
  char buf[12], fub[12], *q;

  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  printf("%s\n", BANNER);

  if (getrandom((void *)&i, sizeof(i), 0) != sizeof(i)) {
    errx(1, "unable to getrandom(%d bytes)", sizeof(i));
  }

  if (write(1, &i, sizeof(i)) != sizeof(i)) {
    errx(1, "unable to write %d bytes", sizeof(i));
  }

  if (fgets(buf, sizeof(buf), stdin) == NULL) {
    errx(1, "who knew that reading from stdin could be so difficult");
  }
  buf[sizeof(buf) - 1] = 0;

  q = strchr(buf, '\r');
  if (q) *q = 0;
  q = strchr(buf, '\n');
  if (q) *q = 0;

  sprintf(fub, "%u", i);
  if (strcmp(fub, buf) == 0) {
    printf("Congratulations, you've passed this level!\n");
  } else {
    printf("Close, you sent \"%s\", and we wanted \"%s\"\n", buf, fub);
  }

  return 0;
}

This code generates 4 random bytes integer and sends to to the receiver as raw bytes.

The goal here is to convert these bytes to a number then send it as ascii string to the server.

Solution:

# solve.py

from pwn import *

con = remote("localhost", 64001)		# connect to localhost on port 64001
print(con.recvline())				# receive the greeting message

num_bytes = con.recv(4)				# receive the 32bit random number (4 bytes)
num = str(u32(num_bytes))			# u32() to convert from bytes to integer
con.send(num + "\n")				# send the number as ascii string

print(con.recv())				# receive the final message
$ python solve.py
[+] Opening connection to localhost on port 64001: Done
Welcome to phoenix/net-one, brought to you by https://exploit.education

Congratulations, you've passed this level!
[*] Closed connection to localhost port 64001