TryHackMe - Industrial Intrusion

## Re: auth Main function ![image](https://hackmd.io/_uploads/HyTQtHbBxg.png) Input s(s1) after transform() is compared with s2 ![image](https://hackmd.io/_uploads/S1VsKrZHxl.png) transform() just basic xor Sovle: ```python from pwn import * # solve a = bytes.fromhex('EFCDAB8967452301')[::-1] key = 0x55 res = '' for i in range(len(a)): res += hex(a[i] ^ key)[2:] # send input p = remote('10.103.170.209', 9005) p.sendline(bytes.fromhex(res)) print(p.recvline()) ``` ## Re: access_granted Main function ![image](https://hackmd.io/_uploads/BJ5e5BbHxe.png) Basic compare pass with buf (input user) ![image](https://hackmd.io/_uploads/ryYNqSWHge.png) pass is hardcode: industrial -> input = **industrial** ## Re: simple protocol Main function ```c! __int64 __fastcall main(int a1, char **a2, char **a3) { uint16_t v4; // [rsp+Ch] [rbp-74h] uint16_t v5; // [rsp+Eh] [rbp-72h] socklen_t addr_len; // [rsp+10h] [rbp-70h] BYREF int fd; // [rsp+14h] [rbp-6Ch] int v8; // [rsp+18h] [rbp-68h] uint32_t v9; // [rsp+1Ch] [rbp-64h] uint32_t v10; // [rsp+20h] [rbp-60h] int v11; // [rsp+24h] [rbp-5Ch] uint32_t v12; // [rsp+28h] [rbp-58h] uint32_t v13; // [rsp+2Ch] [rbp-54h] ssize_t v14; // [rsp+30h] [rbp-50h] uint32_t v15[2]; // [rsp+3Ch] [rbp-44h] BYREF uint16_t buf[2]; // [rsp+44h] [rbp-3Ch] BYREF uint32_t netlong; // [rsp+48h] [rbp-38h] uint32_t v18; // [rsp+4Ch] [rbp-34h] sockaddr addr; // [rsp+50h] [rbp-30h] BYREF struct sockaddr v20; // [rsp+60h] [rbp-20h] BYREF unsigned __int64 v21; // [rsp+78h] [rbp-8h] v21 = __readfsqword(0x28u); addr_len = 16; fd = socket(2, 1, 0); if ( fd < 0 ) { perror("socket"); exit(1); } addr.sa_family = 2; *&addr.sa_data[2] = 0; *addr.sa_data = htons(0x115Cu); if ( bind(fd, &addr, 0x10u) < 0 ) { perror("bind"); exit(1); } if ( listen(fd, 5) < 0 ) { perror("listen"); exit(1); } printf("Listening on port %d\n", 4444); v8 = accept(fd, &v20, &addr_len); if ( v8 < 0 ) { perror("accept"); exit(1); } puts("Connection received."); v14 = recv(v8, buf, 0xCuLL, 256); if ( v14 != 12 ) { fwrite("Failed to receive header.\n", 1uLL, 0x1AuLL, stderr); exit(1); } v4 = ntohs(buf[0]); v5 = ntohs(buf[1]); v9 = ntohl(netlong); v10 = ntohl(v18); v11 = ((v4 ^ v5) << 16) | v10; if ( v9 != v11 ) { fwrite("Checksum validation failed.\n", 1uLL, 0x1CuLL, stderr); exit(1); } v14 = recv(v8, v15, 8uLL, 256); if ( v14 != 8 ) { fwrite("Failed to receive body metadata.\n", 1uLL, 0x21uLL, stderr); exit(1); } v12 = ntohl(v15[0]); v13 = ntohl(v15[1]); if ( v12 != v10 ) { fwrite("Body payload_id does not match header.\n", 1uLL, 0x27uLL, stderr); exit(1); } if ( v13 > 0x40 ) { fwrite("Payload size too large.\n", 1uLL, 0x18uLL, stderr); exit(1); } if ( v5 == 256 ) { sub_1421(v8); } else { if ( v5 > 0x100u ) goto LABEL_27; if ( v5 == 1 ) sub_13C9(v8); if ( v5 != 16 ) { LABEL_27: fprintf(stderr, "Invalid command: 0x%x\n", v5); exit(1); } sub_13E2(v8); } close(v8); close(fd); return 0LL; } ``` This chall is simple connect socket at port 4444 trigger this call ```c! if ( v5 == 256 ){ sub_1421(v8); // Get flag here } ``` **Requirements:** * Header have 12 bytes (split 2 paths v4 and v5) * v5 == 256 * Header pass checksum validation * payload_id == v10 * payload_size <= 0x40 ```python! from pwn import * header1 = 0x1234 # arbitrary header2 = 0x100 # 256 to trigger sub_1421() payload_id = 0xdeadbeef # arbitrary low 32 bits # Checksum checksum = (payload_id & 0xFFFF) | ((header1 ^ header2) << 16) # Header (12 bytes) header = struct.pack('!HHII', header1, header2, checksum, payload_id) # Body metadata (8 bytes) payload_size = 0x10 body_meta = struct.pack('!II', payload_id, payload_size) packet = header + body_meta # remote host = "127.0.0.1" port = 4444 conn = remote(host, port) conn.send(packet) print(conn.recvall()) ``` ## Re: jump procedure The challenge is to calculate the value of [rbp+var_2C] After process [rbp+var_2C] is compare with 1337 ![image](https://hackmd.io/_uploads/ry5S0SWrxe.png) * next_label1: **[rbp+var_2C] << 1** with 7 times ![image](https://hackmd.io/_uploads/SkH518WHlx.png) * next_label2: **([rbp+var_2C] + 2) << 2** with 15 times ![image](https://hackmd.io/_uploads/HyGskIbBge.png) * next_label3: **[rbp+var_2C] + 1** with 150 times ![image](https://hackmd.io/_uploads/ryO3JIWSgg.png) The 3 inputs are the number of skips for each calculation of lables Solve: ```python! # next_label3: val + 1 (150) # next_label2: (val + 2) << 2 (15) # next_label1: val << 1 (7) def solve(a, b, c): val = 1 # next_label1 val *= 2 ** (7 - a) # next_label2 for i in range(15 - b): val = (val + 2) * 4 # next_label3 val += 150 - c return val for a in range(7): for b in range(15): for c in range(150): if solve(a, b, c) == 1337: print(f'Skip a = {a*3}, b = {b*8}, c = {c*4} bytes') # -------------------- NOTE ---------------------------- # space between 2 instructions in next_label1 is 3 bytes # space between 2 instructions in next_label2 is 4 bytes but have 2 operations so is 8 bytes # space between 2 instructions in next_label3 is 4 bytes ```