ProHoster > Blog > Administration > Solving the task with pwnable.kr 25 - otp. Linux file size limit

Solving the task with pwnable.kr 25 - otp. Linux file size limit

Solving the task with pwnable.kr 25 - otp. Linux file size limit
In this article we will solve the 25th task from the site pwnable.kr.

organizational informationEspecially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:

  • PWN;
  • cryptography (Crypto);
  • network technologies (Network);
  • reverse (Reverse Engineering);
  • steganography (Stegano);
  • search and exploitation of WEB vulnerabilities.

In addition, I will share my experience in computer forensics, malware and firmware analysis, attacks on wireless networks and local area networks, pentesting and writing exploits.

So that you can find out about new articles, software and other information, I created Π Ρ”Π  Β° Π Π…Π  Β° Π  Β»Π Π† Telegram ΠΈ group to discuss any issues in the area of ​​IIKB. Also your personal requests, questions, suggestions and recommendations I'll take a look and reply to everyone..

All information is provided for educational purposes only. The author of this document assumes no responsibility for any damage caused to anyone as a result of using the knowledge and methods obtained as a result of studying this document.

Solving the otp task

We continue with the second section. I will say right away that it is more difficult than the first one, but this time they do not provide the source code of the program. Don't forget the discussion here (https://t.me/RalfHackerPublicChat) and here (https://t.me/RalfHackerChannel). Let's start.

Click on the icon with the signature otp. We are given an address and a port to connect to.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

We connect and look around on the server.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

The flag we cannot read is the program and its source code. Let's see the source.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

Let's pick it up. The program takes a password as an argument.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

Further, random 16 bytes are stored in the otp variable.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

A file with a random name is created in the tmp folder (the first 8 bytes are otp) and random 8 bytes are written to it (the second 8 bytes are otp).

Solving the task with pwnable.kr 25 - otp. Linux file size limit

For some reason, the value of the created file is read and compared with the entered password.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

There is a vulnerability here. It consists in the intermediate saving of the generated number to a file. We can limit the file size, for example, to 0, then when writing and reading, 0 will be compared with the password. You can do it like this.

# ulimit -f 0

Solving the task with pwnable.kr 25 - otp. Linux file size limit

Now let's run the program.

Solving the task with pwnable.kr 25 - otp. Linux file size limit

We get an error. It doesn't matter, it can be processed using the same python.

python -c "import os, signal; signal.signal(signal.SIGXFSZ, signal.SIG_IGN); os.system('./otp 0')"

Solving the task with pwnable.kr 25 - otp. Linux file size limit

We get the flag and our easy 100 points. And we continue: in the next article we will touch on the Web. You can join us at Telegram.

Source: habr.com

Add a comment