# Pulse :: Challenge Guide
Pulse is a pwn/memory corruption challenge where your goal is to weaponise (exploit) a vulnerability in a compiled `C` binary. The challenge card on the [CTF website](https://gradctf.web.app/) provides you with this compiled binary to download and reverse/test locally.
The first stage of many exploits is to develop a working version on your machine and than use it against a hosted/deployed version. This is also the case here. To symbolise a working exploit the downloadable binary includes a **fake** flag which should be printed to the screen upon successfully hacking the binary.
The next stage is to retrive the real flag (I.E exploit) the remote server.
**Goal Summary*
1. Develop and test your exploit on you're own machine/vm to get the dummy flag
2. Run you're exploit against the remote server to get the real flag
- [TL;DR/Quick Start](#Quick-Start)
- [What is a pwn challenge](#What-is-a-PWN-Challenge)
- [What is nc](#What-is-nc)
- [Tooling](#What-is-nc)
## What is a PWN Challenge?
A pwn challenge is the colloquial name for a binary exploitation challenge. These kinds of challenges are centered around buffer overflow exploits, Return Oriented Programming and other memory corruption techniques.
There are lots of fantastic places to learn about these techniques on the internet but a few notable metions are:
+ [Nightmare](https://guyinatuxedo.github.io/index.html)
+ [Rop Emporium](https://ropemporium.com/)
## What is `nc`
You may have seen in the challenge connection command string,
```
nc 188.166.204.182 1337
```
`nc` is short for 'net cat' which is a command line tool used to connect to remote servers via `tcp`. The command shown has the syntax:
```
nc <remote-server-ip> <port>
```
## Tooling
While pwn used to be hardcore in your terminal type stuff its 2022 now and the first buffer overflow exploits were developed as early as 1972. All this means is we have a bunch of cool tooling now. Checkout:
+ [pwntools - the swiss army knife of pwn](https://docs.pwntools.com/en/stable/index.html)
+ [pwndbg - gdb but its not sh$t](#https://github.com/pwndbg/pwndbg)
+ [binary ninja - makes reverse engineering look like drawio](#https://binary.ninja/)
+ [cutter - alternative to binary nijas free demo version](#https://cutter.re/)
## Quick Start
That's a lot of reading :X I know, but don't worry learn as you go! Heres a series of commands to blindy paste in ur terminal and a template for the challenge to get started.
**Install Main Things**
```bash
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools
```
### Template
Get the boring stuff out of the way and start hacking with this template for the pulse challenge.
**Note: This is best done on an ubuntu VM or docker img**
#### usage
1. Put the `pulse` binary and this python file in the same directory
2. Create the exploit file, here we cal it `exploit.py` and copy the template contents into it
3. Make it executable `chmod +x exploit.py`
4. Run the exploit template with: `./exploit.py <ip>`
5. When your ready to run against the remote sever change the `IS_LOCAL` flag to `False`
To begin with all you will see is the normal binary output along with some inforamtion about the binary that pwntools prepends. Interacting with the program to exploit it is up to you now! Although some hit stubs have been left in the template.
```python
#!/usr/bin/python3
from pwn import *
'''
::::::::: [▶ PULSE EXPLOIT ◀] :::::::::
🏴☠️ exploit code for the pulse app
# [Usage]
./exploit.py <ip>
# [Memory Protections]
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
# [Debug]
1. Turn on pause line 68
2. Run the exploit file
3 Attach to the paused process with
gdb and the displayed pid
$ gdb
(gdb) attach <pid>
(gdb) ni
:::::::::::::::::::::::::::::::::::::::
'''
# LOCAL || REMOTE SETTING
IS_LOCAL = True
def hack_the_planet(ip, local=False):
print("[>>] Starting our run 🚀")
# [CONFIG]
# connect to the target or link local bin
# !IMPORTANT - place the target file (pulse)
# in the same directory as this
# file
local_bin = "./pulse"
# auto detect context (x86_64)
context.binary = local_bin
if local:
proc = process(local_bin)
else:
proc = remote(ip, 1337)
# create ELF object
elf = ELF(local_bin)
# calculate the offset based off
# the cyclic pattern bytes that
# overwrites the return pointer
# offset = cyclic_find("!TODO")
# log.info(f"Offset @ {offset}")
# build payload - @TODO
# payload = flat({})
# [DEBUG]
# pause()
# send the payload to the vulnerable input
# proc.sendline(payload)
if not local:
# rcv flag on remote server
print(proc.recvall()[-65:-37])
# capture stdout
proc.interactive()
if __name__ == '__main__':
# check ip is provided
if len(sys.argv) != 2:
print("[>>] Usage: ./exploit.py <ip>")
exit(1)
hack_the_planet(sys.argv[1], local=IS_LOCAL)
```
#### Super Stuck?
Have a hint! This challenge is a type of buffer overflow challenge known as a return to win or (ret2win). That means that the binary contains a special function which will, in our case, print the flag to the screen.
If we can redirect code execution, via our overflow, to this 'win function' we get the flag. You can read more about these kinds of challenges [here](https://secsheets.cybernetic.coffee/binary-exploitation/bufferoverflows/#ret2win) if your still lost.
**Source Code**
The source code for the challenge binary is also avaliable (without the actual flag of course) [here](https://github.com/GMFarquaad/Pulse/tree/master/pulse).
Sign in with Wallet
Connect another wallet