.-. .-. .-.   .-. .-. .-. .-.                  
|-  |   |-    `-| |-. |\| `-|                  
`-' `-' `-'   `-' `-' `-' `-'                  
                                               
.-. .-. .-. .-. .-. . . .  . .-. . . .-.   .-. 
|-| `-. `-.  |  |.. |\| |\/| |-  |\|  |    .'' 
` ' `-' `-' `-' `-' ' ` '  ` `-' ' `  '    `-- 

Assignment 2

Overview

In this assignment you will learn about about UNIX file permissions, computer memory and endian-ness, C, gdb, and assembly code.

How the assignment is marked

In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.

What to do

Some examples of how you can convince us you thought through the problem could include sharing details of:

Your thought process (e.g., “I noticed something unusual in the code, so I…”)
Things you didn’t know (e.g., “I had to look up how netcat works”)
Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)

What NOT to do

Say “I couldn’t figure it out” and not write anything else
Submit the writeup of another person, whether another student, or someone online (duh)
Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
Only give the flag and no other window into your thought process

Instructions

Answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 2

Question 1 - File Permissions

Use ssh to log into the pwnable.kr Collision challenge and use ls -l to print the directory:

$ ssh col@pwnable.kr -p2222                                                
col@pwnable.kr's password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : daehee87@gatech.edu
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
You have new mail.
Last login: Tue Jan 26 13:36:23 2021 from 81.178.231.100

col@pwnable:~$ ls -l
total 16
-r-sr-x--- 1 col_pwn col     7341 Jun 11  2014 col
-rw-r--r-- 1 root    root     555 Jun 12  2014 col.c
-r--r----- 1 col_pwn col_pwn   52 Jun 11  2014 flag

col@pwnable:~$

In your own words, answer the following:

Which user owns the file col?
Which files in this directory can the users in the group col read from?
What does the SUID flag do?
What exactly does -r-sr-x--- tell us about the file col? Be sure to explain who is allowed to do what.

This article on file permissions may be of some help.

Question 2 - Basics of C

Compile and run this program:

#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[]){
    char a[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890";
    char temp[] = "huh?";
    char flag[10] = "";
    strncat(flag, a+'!', 2);
    strncat(flag, a+'\'', 1);
    strncat(flag, a+'-', 1);
    printf("Here's your %s\n", flag);
    return 0;
}

What is the flag?
What command(s) did you use to compile and run this program?

Question 3 - Basics of Computer Memory

The pwnable.kr challenges are performed on a 32-bit architecture, meaning a each individual byte of memory can be referenced by a 32-bit address (i.e., virtual memory available to a 32-bit process).

What is the number 3735928559 in hexadecimal form?
Suppose this number was stored as an integer (i.e., int type) in little-endian format at memory address 0x12345678. Fill in the following memory map showing where each byte is stored. If the value is unknown/not relevant, leave it as 0x??.

Address     | Value
-------------------------
...         |
0x12345674  | 0x??
0x12345675  | 0x??
0x12345676  | 0x??
0x12345677  | 0x??
0x12345678  | 0x??
0x12345679  | 0x??
0x1234567a  | 0x??
0x1234567b  | 0x??

This article on endianness may be of some help.

Question 4 - `Collision` Challenge

Read the tutorial notes on the Collision challenge. Complete the challenge on pwnable.kr.

Give the flag and the command(s) you used to capture the flag. In your own words, explain the steps you took to solve the challenge.

Question 5 - `bof` Challenge

Read the tutorial notes on the bof challenge. Complete the challenge on pwnable.kr.