Solution to problem 25 from pwnable.kr - otp. File size limitation in Linux

In this article we will solve the 25th task from the site pwnable.kr.

organizational informationEspecially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:

• PWN;
• cryptography (Crypto);
• network technologies (Network);
• reverse (Reverse Engineering);
• steganography (Stegano);
• search and exploitation of WEB vulnerabilities.

In addition, I will share my experience in computer forensics, malware and firmware analysis, attacks on wireless networks and local area networks, pentesting and writing exploits.

So that you can find out about new articles, software and other information, I created РєР ° РЅР ° Р »РІ Telegram и group to discuss any issues in the area of ​​IIKB. Also your personal requests, questions, suggestions and recommendations I'll take a look and reply to everyone..

All information is provided for educational purposes only. The author of this document assumes no responsibility for any damage caused to anyone as a result of using the knowledge and methods obtained as a result of studying this document.

Solving the otp task

We continue with the second section. I will say right away that it is more difficult than the first one, but this time they do not provide the source code of the program. Don't forget the discussion here (https://t.me/RalfHackerPublicChat) and here (https://t.me/RalfHackerChannel). Let's start.

Click on the icon with the signature otp. We are given an address and a port to connect to.

We connect and look around on the server.

The flag we cannot read is the program and its source code. Let's see the source.

Let's pick it up. The program takes a password as an argument.

Further, random 16 bytes are stored in the otp variable.

A file with a random name is created in the tmp folder (the first 8 bytes are otp) and random 8 bytes are written to it (the second 8 bytes are otp).

For some reason, the value of the created file is read and compared with the entered password.

There is a vulnerability here. It consists in the intermediate saving of the generated number to a file. We can limit the file size, for example, to 0, then when writing and reading, 0 will be compared with the password. You can do it like this.

# ulimit -f 0

Now let's run the program.

We get an error. It doesn't matter, it can be processed using the same python.

python -c "import os, signal; signal.signal(signal.SIGXFSZ, signal.SIG_IGN); os.system('./otp 0')" 

We get the flag and our easy 100 points. And we continue: in the next article we will touch on the Web. You can join us at Telegram.

Source: habr.com