Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

More information

1. Pentest Tools Website
2. Pentest Tools
3. Hacker Tools Linux
4. Hacking Tools For Games
5. Hacker Search Tools
6. Hacking Tools Windows 10
7. Tools Used For Hacking
8. Hack Website Online Tool
9. Pentest Reporting Tools
10. Hacker Tools For Ios
11. Hacking Tools For Pc
12. Hacking Tools For Mac
13. Hacking Tools Usb
14. Pentest Tools For Ubuntu
15. Hacking Tools For Windows Free Download
16. Hack Tool Apk No Root
17. Hacking Tools
18. Hacker Tools Free Download
19. Hacking Tools Github
20. Pentest Tools Bluekeep
21. Hacker Tools Windows
22. Hacking Tools Hardware
23. Hack Rom Tools
24. Hack Tool Apk No Root
25. Best Pentesting Tools 2018
26. Hacking Tools Windows 10
27. Hacks And Tools
28. Hacker Tools Windows
29. Hacking Tools For Pc
30. How To Hack
31. Hack Tools Mac
32. Pentest Tools List
33. Hack Tools Github
34. Game Hacking
35. Pentest Tools Linux
36. Hacking Tools For Windows
37. Pentest Reporting Tools
38. Hack Tools For Games
39. Tools For Hacker
40. Hack Website Online Tool
41. Best Hacking Tools 2020
42. Pentest Tools For Windows
43. Hacking Tools Kit
44. Hacker Security Tools
45. New Hack Tools
46. Pentest Tools Android
47. Pentest Tools Github
48. Hacking Tools Usb
49. Pentest Tools For Ubuntu
50. Underground Hacker Sites
51. Hacking Tools Usb
52. Hacker Tools For Mac
53. What Are Hacking Tools
54. Hacker Tools Apk Download
55. Termux Hacking Tools 2019
56. Computer Hacker
57. Hack Tools
58. Hacking Tools Pc
59. Hacking Tools Free Download
60. Nsa Hacker Tools
61. Usb Pentest Tools
62. Hacking Tools 2020
63. Hack Tools For Ubuntu
64. Hack App
65. Hack Tools
66. Hacking Tools Free Download
67. Hacker Tools Free Download
68. Hacking Tools Mac
69. Pentest Tools Url Fuzzer
70. Hacking App
71. Hacking Tools Github
72. Hak5 Tools
73. Pentest Automation Tools
74. Hack Tools Github
75. Physical Pentest Tools
76. Hacking Apps
77. Nsa Hack Tools
78. Tools Used For Hacking
79. Pentest Tools List
80. Pentest Tools Free
81. Hacking Tools Kit
82. Hacking Tools 2020
83. Hacking Tools Name
84. Pentest Tools Alternative
85. Tools Used For Hacking
86. Physical Pentest Tools
87. How To Make Hacking Tools
88. Hak5 Tools
89. Hacker Tools For Pc
90. Black Hat Hacker Tools
91. Game Hacking
92. Pentest Tools For Android
93. Hacking Tools For Windows
94. Pentest Tools Subdomain
95. Hack App
96. How To Install Pentest Tools In Ubuntu
97. Pentest Tools Android
98. Hack Tools For Ubuntu
99. Pentest Tools Kali Linux
100. Best Hacking Tools 2020
101. New Hack Tools
102. Hacking Tools Windows
103. Hacking Tools Online
104. Pentest Tools Nmap
105. Hacker Tools For Ios
106. Hacking Tools Pc
107. Pentest Tools Github
108. Pentest Tools List
109. Pentest Tools Url Fuzzer
110. What Are Hacking Tools
111. Hacking Tools Free Download
112. Pentest Tools Github
113. Hacking Tools For Windows Free Download
114. Pentest Tools Tcp Port Scanner
115. Hack Tools For Pc
116. Hack Rom Tools
117. Hack Tools For Games
118. Pentest Recon Tools
119. Hacking Tools Free Download
120. Hacking Tools Software
121. Pentest Tools For Windows
122. Hacks And Tools
123. Pentest Tools Windows
124. Pentest Tools Windows
125. Hack Tools Online
126. Pentest Tools Android
127. Hacking App
128. Hacking Tools 2019
129. Hacker Tools
130. Hacker Tools Free
131. Pentest Tools Url Fuzzer
132. Hacking Tools Windows 10
133. Hacking Tools For Windows
134. Hacking Tools For Games
135. Hacking Tools Online
136. Pentest Tools For Mac
137. Hacking Tools Usb
138. Hacker Tools Online
139. What Are Hacking Tools
140. Pentest Tools Alternative
141. Pentest Tools Open Source
142. Pentest Tools Find Subdomains
143. Hacker Tool Kit
144. Hacking Tools Name
145. Hacking Tools Pc
146. Pentest Tools Url Fuzzer
147. Hacker Tools Free Download
148. Hacking Tools
149. Hack Tools For Mac
150. Hack Tools For Games
151. Bluetooth Hacking Tools Kali
152. What Is Hacking Tools
153. Hacker Hardware Tools
154. Hacker Tools Free
155. Free Pentest Tools For Windows
156. Hak5 Tools
157. Pentest Tools Alternative
158. Pentest Tools Framework
159. New Hacker Tools
160. Hacker Tools Free
161. Computer Hacker
162. Hacker Tools List
163. Hacker Tools Github
164. Pentest Tools Android
165. Hacker Tools Windows
166. Pentest Tools For Mac
167. Hacking Tools Hardware