.-. .-. .-.   .-. .-. .-. .-.                  
|-  |   |-    `-| |-. |\| `-|                  
`-' `-' `-'   `-' `-' `-' `-'                  
                                               
.-. .-. .-. .-. .-. . . .  . .-. . . .-.   .-. 
|-| `-. `-.  |  |.. |\| |\/| |-  |\|  |    .'' 
` ' `-' `-' `-' `-' ' ` '  ` `-' ' `  '    `-- 

Assignment 2

Overview

In this assignment you will learn about about UNIX file permissions, computer memory and endian-ness, C, gdb, and assembly code.

How the assignment is marked

In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.

What to do

Some examples of how you can convince us you thought through the problem could include sharing details of:

Your thought process (e.g., “I noticed something unusual in the code, so I…”)
Things you didn’t know (e.g., “I had to look up how netcat works”)
Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)

What NOT to do

Say “I couldn’t figure it out” and not write anything else
Submit the writeup of another person, whether another student, or someone online (duh)
Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
Only give the flag and no other window into your thought process

Instructions

Answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 2

Question 1 - File Permissions

Log into the collision challenge on pwnable.kr and observe the files in the directory

$ ssh col@pwnable.kr -p2222
col@pwnable.kr's password:
██     ██ ███████ ██       ██████  ██████  ███    ███ ███████     ████████  ██████
██     ██ ██      ██      ██      ██    ██ ████  ████ ██             ██    ██    ██
██  █  ██ █████   ██      ██      ██    ██ ██ ████ ██ █████          ██    ██    ██
██ ███ ██ ██      ██      ██      ██    ██ ██  ██  ██ ██             ██    ██    ██
 ███ ███  ███████ ███████  ██████  ██████  ██      ██ ███████        ██     ██████


██████  ██     ██ ███    ██  █████  ██████  ██      ███████    ██   ██ ██████
██   ██ ██     ██ ████   ██ ██   ██ ██   ██ ██      ██         ██  ██  ██   ██
██████  ██  █  ██ ██ ██  ██ ███████ ██████  ██      █████      █████   ██████
██      ██ ███ ██ ██  ██ ██ ██   ██ ██   ██ ██      ██         ██  ██  ██   ██
██       ███ ███  ██   ████ ██   ██ ██████  ███████ ███████ ██ ██   ██ ██   ██


Admin: daehee (daehee87@khu.ac.kr)
Please note that server is under renewal/update.
Please don't brute-force the resource, be kind to other users.
Installed Tools: pwndbg, qemu, python2, python3
(let admin know if some essential tool is missing)
**IMPORTANT: stuff under /tmp can be erased. "/usr/local/bin/cleanup_tmp.sh" runs every 24H **
col@ubuntu:~$ ls -l
total 24
-r-xr-sr-x 1 root col_pwn 15164 Mar 26  2025 col
-rw-r--r-- 1 root root      589 Mar 26  2025 col.c
-r--r----- 1 root col_pwn    26 Apr  2  2025 flag
col@ubuntu:~$ id
uid=1005(col) gid=1005(col) groups=1005(col)

In your own words, answer the following:

Which user owns the file col?
Which files in this directory can the users in the group col read from?
What does the setgid (‘s’) flag do?
What exactly does -r-xr-sr-x tell us about the file col? Be sure to explain who is allowed to do what.

This article on file permissions may be of some help.

Question 2 - Basics of C

In a C compiler of your choosing, compile and run the following program to recover the flag.

#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[]){
    char a[] = ".....abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890";
    char temp[] = "a+@";
    char flag[10] = "";
    strncat(flag, a+'!', 1);
    strncat(flag, a+'*', 1);
    strncat(flag, a+'3', 1);
    strncat(flag, a+'#', 1);
    printf("Here's your %s\n", flag);
    return 0;
}

What is the flag?
What command(s) did you use to compile and run this program?

Question 3 - Basics of Computer Memory

Assignments 2,3, and 4 are performed on a 32-bit architecture, meaning each individual byte of memory can be referenced by a 32-bit address (i.e., the virtual memory available to a 32-bit process).

What is the number 3735928559 in hexadecimal form?
Suppose this number was stored as an integer (i.e., int type) in little-endian format at memory address 0x12345678. Fill in the following memory map showing where each byte is stored. If the value is unknown/not relevant, leave it as 0x??.

Address     | Value
-------------------------
...         |
0x12345674  | 0x??
0x12345675  | 0x??
0x12345676  | 0x??
0x12345677  | 0x??
0x12345678  | 0x??
0x12345679  | 0x??
0x1234567a  | 0x??
0x1234567b  | 0x??

This article on endianness may be of some help.

Question 4 - `Collision` Challenge

Read the tutorial notes on the Collision challenge. Complete the challenge on pwnable.kr.

Note: use the -g flag to build your executable with debugger information. Be sure to build it as a 32-bit binary using the -m32 flag.

Give the flag and the command(s) you used to capture the flag. In your own words, explain the steps you took to solve the challenge.

Question 5 - `bof` Challenge

Read the tutorial notes on the bof challenge. Complete the challenge on pwnable.kr.