Abdallah Elshinbary

Abdallah Elshinbary

Malware Analysis & Reverse Engineering Adventures.

Phoenix - Net Two

1 minute read 

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  int i;
  unsigned long quad[sizeof(long)], result, wanted;

  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  printf("%s\nFor this level, sizeof(long) == %d, keep that in mind :)\n",
      BANNER, (int)sizeof(long));

  if (getrandom((void *)&quad, sizeof(quad), 0) != sizeof(quad)) {
    errx(1, "unable to getrandom(%d bytes)", sizeof(quad));
  }

  result = 0;
  for (i = 0; i < sizeof(long); i++) {
    result += quad[i];
    if (write(1, (void *)&quad[i], sizeof(long)) != sizeof(long)) {
      errx(1, "Why have you foresaken me, write()");
    }
  }

  if (read(0, (void *)&wanted, sizeof(long)) != sizeof(long)) {
    errx(1, "Unable to read\n");
  }

  if (result == wanted) {
    printf("You have successfully passed this level, well done!\n");
  } else {
    printf("Whoops, better luck next time. Receieved %lu, wanted %lu\n", wanted,
        result);
  }

  return 0;
}

This level gets 64 random bytes and stores them in quad then it loops over quad 8 bytes at a time and adds these bytes to result.

So we will read 8 long numbers, add them and send the sum back.

It’s important to account for potential integer overflow using the bit mask 0xffffffffffffffff.

Solution:

# solve.py

from pwn import *

con = remote("localhost", 64002)		# connect to localhost on port 64002
print(con.recvline())				# recieve the greeting message
print(con.recvline())				# recieve the size message

sum = 0
for i in range(8):
	sum += u64(con.recv(8))			# receive size(long) bytes then convert to long number

sum &= 0xffffffffffffffff			# 64bit mask to avoid integer overflow 
con.send(p64(sum))				# send the resulting sum

print(con.recv())				# receive the final message

$ python solve.py 
[+] Opening connection to localhost on port 64002: Done
Welcome to phoenix/net-two, brought to you by https://exploit.education

For this level, sizeof(long) == 8, keep that in mind :)

You have successfully passed this level, well done!

[*] Closed connection to localhost port 64002