Hw0 write-up - HackMD

# Hw0 Writeup --- * Student: 林咏毅 Yung-Yi, Lin * Student ID: b10901059 --- ## Problem 1: easy-C2 * FLAG{C2_cmd_in_http_header} ### 解題流程與思路 1. First, execute the easy-c2 file, I observe that I need a socket to receive the message sent by this binary file. ![](https://hackmd.io/_uploads/S1OEumuk6.png) 2. Since I have no information of this binary file, I use IDA to find whether there's any information of the functions in this binary file, and here's the results I found in the main() function: ![](https://hackmd.io/_uploads/BJ1rtmOyT.png) 3. By reading the code in main() function, I find that I need to open a sokcet with address 127.0.0.1, i.e. localhost, and Port 11187 to recieve the flag sent by this file. 4. After knowing this information, I write a socket with python, which will print out the message it recieve, and here's the code: ![](https://hackmd.io/_uploads/rJ12qQ_Jp.png) 5. Complete building a socket, I execute this file and than the easy-c2 file, and it turns out that the flag is successfully sented, and here's the flag I get: ![](https://hackmd.io/_uploads/SJ4jiXdyT.png) ![](https://hackmd.io/_uploads/rJa3omdJ6.png) 6. Reference: * [python socket](https://shengyu7697.github.io/python-socket/) 7. Collaborator: None --- ## Problem 2: GUSP Hub * Flag{} ### 解題流程與思路 1. By reading the code in "/add-api" with POST method, I observe that I need to write a server which allows the GUSP protocol, so as to receive the flag. 2. With the code below, its allows information correctly sent to req.body ![](https://hackmd.io/_uploads/H1ajmwKyT.png) 3. By using ngrok, with the docker command "docker compose up -d", I try to let the server connected to the outer Internet 4. And it turns out I'm stuck...QQ --- ## Problem 3: Baby Crackme * FLAG{r0ll1ng_4nd_3xtr4ct_t0_m3m0ry} ### 解題流程與思路 1. First, I execute the baby-crackme file and find out the target is to find out the correct license. ![](https://hackmd.io/_uploads/BJlPCmdJa.png) 2. Since I have no information of this binary file, I use IDA to find whether there's any information of the functions in this binary file, and here's the results I found in the main() function: ![](https://hackmd.io/_uploads/B1hYy4OyT.png) 3. By reading the code, I find when the function sub_11C9 returns true, the validation will success. As a result, I checkout sub_11C9, and this is what I find: ![](https://hackmd.io/_uploads/BkmmeNOyT.png) 4. Since a1 is a parameter sent to the function and a2, a3 is already known, by calculating out s1, we can know the value of a1. But the process is difficult for me, so I try another method to get the flag... 5. With gdb-peda, I first use the command "info func" to get the address of function strcmp, which is used to compare whether the input is valid. ![](https://hackmd.io/_uploads/S1X54Vdka.png) 6. Then I set the breakpoint at this address to check whether there's any information about the flag. ![](https://hackmd.io/_uploads/BkhkH4dk6.png) 7. Finally, I execute the file with command "r", and the flag shows up, which turns out the breakpoint I set is correct. ![](https://hackmd.io/_uploads/SJswS4OJ6.png) 8. Reference: * [gdb-peda](https://github.com/longld/peda) 9. Collaborator: None --- ## Problem 4: Baby Hook * FLAG{B4by_Ld_Pr3L0aD_L1bR1rY_:)} ### 解題流程與思路 1. By reading the code in the "share" file, and executing the file main.py, we find that the code ask us to enter an encoded binary code of a binary file. ![](https://hackmd.io/_uploads/HJfivr_Ja.png) 2. Then we check the chall.c file, which is executed by main.py, and we find the bottleneck, sleep() function. ![](https://hackmd.io/_uploads/SkTAqSdkp.png) 3. We should rewrite the sleep() function, which is used to print out the content of flag.txt, and comment out the main() function. ![](https://hackmd.io/_uploads/ryQ-3S_kT.png) 4. After finish the sleep() function, we compile the chall.c to a chall.so file, which covers the original sleep() function when entering its encoded binary code. 5. Next, we get the related result by entering the encoded binary code of chall.so file with pipe so that the input won't be affected by line break character "/n". ![](https://hackmd.io/_uploads/ryuDxndya.png) 6. The result turns out as the following picture: ![](https://hackmd.io/_uploads/rkA4b3uJa.png) 7. Reference: * [Read .txt file in C](https://stackoverflow.com/questions/9708578/how-do-i-read-and-edit-a-txt-file-in-c) * [ Write to stdin with Popen](https://stackoverflow.com/questions/8475290/how-do-i-write-to-a-python-subprocess-stdin) 8. Collaborator: None --- ## Problem 5: Extreme Xorrrrr * FLAG{xor_ThEN_><OR_1qUal_ZEr0} ### 解題思路與流程 1. By reading the given code, we can observe the pattern of the results generated by function xorrrrr(), which is shown as the follow picture: ![](https://hackmd.io/_uploads/HkKCXnOkT.png) 2. Due to the above observation, I find out the raw datas by calculating the key, which is the XORs of every number in the result array, and then XOR the key with each given result. ![](https://hackmd.io/_uploads/B1e28hOk6.png) ![](https://hackmd.io/_uploads/HytTLndJp.png) 3. With the origin muls, mods, and hint, I calculate secret with these numbers and Chinese Remainder Theorem(CRT). Finally, I successfully get the flag! ![](https://hackmd.io/_uploads/HkSkwh_1T.png) ![](https://hackmd.io/_uploads/BJ1_I3Oya.png) ![](https://hackmd.io/_uploads/HJTMD2_ya.png) 4. Reference: * [CRT](https://cloud.tencent.com/developer/article/1141031) 5. Collaborator: b10901002