Defcon Qual 2015 - accesscontrol

binary
https://github.com/ctfs/write-ups-2015/tree/master/defcon-qualifier-ctf-2015/reverse/access-control

Server access problem.

Reversing client binary. And access. And solve challenge

'duchess' user has privilege to 'print key'. So we need to login 'duchess'

import struct
import time
import telnetlib
from socket import *

HOST = "52.74.123.29"
PORT = 17069

userID = "duchess"  # admin ID

def Encrypt(dataStr, saltStr) :
    result = ""
    for data, salt in zip(dataStr, saltStr) :
        tem = ord(data) ^ ord(salt)
        if tem <= 31 :
            tem += 32
        if tem == 127 :
            result += chr(33)
        else :
            result += chr(tem)

    return result

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))

data = s.recv(1024)
connectionID = data[15 : 30]
print "[*] get connection ID -", connectionID

# version
print s.recv(1024)
s.send("version 3.11.54\n")
print "[*] send version 3.11.54"
time.sleep(1)
s.recv(1024)

saltIdx = 0

# login try
for i in range(3) :
    # userID
    s.send(userID + "\n")
    print "[*] send userID " + userID
    time.sleep(1)
    s.recv(1024)
    
    # password
    salt = connectionID[1 + i : 1 + i + 5]
    password = Encrypt(userID, salt)
    s.send(password + "\n")
    print "[*] send password " + password
    time.sleep(1)
    data = s.recv(1024)
    if data.find(userID) != -1 :
        saltIdx = i
        break

print "[*] login Success"
print "salt idx -", saltIdx

s.send("print key\n")

data = s.recv(1024)
challenge = data[11 : 16]
print "[*] challenge - " + challenge

# solve challenge
chalSalt = connectionID[7 + saltIdx : 7 + saltIdx + 5]
key = Encrypt(challenge, chalSalt)

print "[*] chalKey " + key
s.send(key + "\n")

time.sleep(1)
print s.recv(1024)

s.close()

// pr0v3rbs.c

이 블로그 검색

Reverse TCP shellcode 분석

Defcon Qual 2015 - accesscontrol

댓글

댓글 쓰기