.-. .-. .-.   .-. .-. .-. .-.                  
|-  |   |-    `-| |-. |\| `-|                  
`-' `-' `-'   `-' `-' `-' `-'                  
                                               
.-. .-. .-. .-. .-. . . .  . .-. . . .-.   .-. 
|-| `-. `-.  |  |.. |\| |\/| |-  |\|  |    .'' 
` ' `-' `-' `-' `-' ' ` '  ` `-' ' `  '    `-- 

Assignment 2

Overview

In this assignment you will learn about about UNIX file permissions, computer memory and endian-ness, C, gdb, and assembly code.

How the assignment is marked

In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.

What to do

Some examples of how you can convince us you thought through the problem could include sharing details of:

Your thought process (e.g., “I noticed something unusual in the code, so I…”)
Things you didn’t know (e.g., “I had to look up how netcat works”)
Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)

What NOT to do

Say “I couldn’t figure it out” and not write anything else
Submit the writeup of another person, whether another student, or someone online (duh)
Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
Only give the flag and no other window into your thought process

Instructions

First, refer to the VM setup instructions to install and setup and access the assignment virtual machine on your host device.

Them answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 2

VM Ground Rules

The purpose of the assignment is to simulate a real, remotely accessed computer system and the assignment is meant to be solved in this spirit. To that end, you will not receive credit for accessing the flags by attacking the virtual machine directly e.g., by recovering the flags using forensics on the .ova file.

Question 1 - File Permissions

Using username col and password col, use ssh to log into the Assignment 2 virtual machine. Once logged in, use ls -l to print the directory:

$ ssh col@<IP address of VM>                                              
col@<IP address of VM> password:

NOTE: This is a *simulation* of a pwnable.kr CTF challenge

 ____  __    __  ____    ____  ____   _        ___      __  _  ____
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : daehee87.kr@gmail.com
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal

col@box:~$ ls -l
total 24
-r-sr-x---    1 col_pwn  col          15448 Feb  4 04:42 col
-rw-r--r--    1 root     root           555 Feb  4 04:41 col.c
-r--r-----    1 col_pwn  col_pwn         27 Feb  4 00:44 flag
col@box:~$

In your own words, answer the following:

Which user owns the file col?
Which files in this directory can the users in the group col read from?
What does the SUID flag do?
What exactly does -r-sr-x--- tell us about the file col? Be sure to explain who is allowed to do what.

This article on file permissions may be of some help.

Question 2 - Basics of C

In the /tmp folder of the Assignment 2 virtual machine, compile and run this program:

#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[]){
    char a[] = ".....abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890";
    char temp[] = "a+@";
    char flag[10] = "";
    strncat(flag, a+'!', 1);
    strncat(flag, a+'*', 1);
    strncat(flag, a+'3', 1);
    strncat(flag, a+'#', 1);
    printf("Here's your %s\n", flag);
    return 0;
}

What is the flag?
What command(s) did you use to compile and run this program?

Question 3 - Basics of Computer Memory

Assignments 2,3, and 4 are performed on a 32-bit architecture, meaning each individual byte of memory can be referenced by a 32-bit address (i.e., the virtual memory available to a 32-bit process).

What is the number 3735928559 in hexadecimal form?
Suppose this number was stored as an integer (i.e., int type) in little-endian format at memory address 0x12345678. Fill in the following memory map showing where each byte is stored. If the value is unknown/not relevant, leave it as 0x??.

Address     | Value
-------------------------
...         |
0x12345674  | 0x??
0x12345675  | 0x??
0x12345676  | 0x??
0x12345677  | 0x??
0x12345678  | 0x??
0x12345679  | 0x??
0x1234567a  | 0x??
0x1234567b  | 0x??

This article on endianness may be of some help.

Question 4 - `Collision` Challenge

Read the tutorial notes on the Collision challenge. Complete the challenge by using ssh to log into the Assignment 2 virtual machine. Use username col and password col.

Give the flag and the command(s) you used to capture the flag. In your own words, explain the steps you took to solve the challenge.

Question 5 - `bof` Challenge

Read the tutorial notes on the bof challenge. Complete the challenge by using ssh to log into the Assignment 2 virtual machine. Use username bof and password bof.