\||/
                                   |  @___oo
                         /\  /\   / (__,,,,|
                         ) /^\) ^\/ _)
                         )   /^\/   _)
                         )   _ /  / _)
                     /\  )/\/ ||  | )_)
                    <  >      |(,,) )__)
                     ||      /    \)___)\
                     | \____(      )___) )___
                      \______(_______;;; __;;;
                       ________  _______________  ________                   
  ____   ____  ____   /   __   \/  _____/\   _  \/   __   \                  
_/ __ \_/ ___\/ __ \  \____    /   __  \ /  /_\  \____    /                  
\  ___/\  \__\  ___/     /    /\  |__\  \\  \_/   \ /    /                   
 \___  >\___  >___  >   /____/  \_____  / \_____  //____/                    
     \/     \/    \/                  \/        \/                           
                     .__                                     __    ________  
_____    ______ _____|__| ____   ____   _____   ____   _____/  |_  \_____  \ 
\__  \  /  ___//  ___/  |/ ___\ /    \ /     \_/ __ \ /    \   __\   _(__  < 
 / __ \_\___ \ \___ \|  / /_/  >   |  \  Y Y  \  ___/|   |  \  |    /       \
(____  /____  >____  >__\___  /|___|  /__|_|  /\___  >___|  /__|   /______  /
     \/     \/     \/  /_____/      \/      \/     \/     \/              \/

Assignment 3

Overview

In this assignment you will complete a Capture-the-flag (CTF) style challenge. You will be presented with a Linux virtual machine and will be required to solve a set of programming puzzles inspired by the pwnable.kr challenges.

How the assignment is marked

In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.

What to do

Some examples of how you can convince us you thought through the problem could include sharing details of:

  • Your thought process (e.g., “I noticed something unusual in the code, so I…”)
  • Things you didn’t know (e.g., “I had to look up how netcat works”)
  • Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
  • The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)

What NOT to do

  • Say “I couldn’t figure it out” and not write anything else
  • Submit the writeup of another person, whether another student, or someone online (duh)
  • Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
  • Only give the flag and no other window into your thought process

Instructions

Answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 3

Tips

There are a few basic skills that you will need to know to complete the challenges:

  • How to compile and run a C program
  • How to use the gdb debugger
  • How to execute a Python program from the command line 
    $ python -c "<program>"
  • How to upload and download files using scp
  • How to view and interpret file permissions and ownership
  • How to use command-line text editor like vi or vim

Other tips:

  • You can create working files in the /tmp directory
  • The VM is non-persistent. Any changes (e.g., uploaded file, etc) are not saved by the OS after shutdown
  • You can scroll up and down in the terminal window using <SHIFT> + <Pg Up> and <SHIFT> + <Pg Dn>.

vim Tips

vim will help you edit files on the virtual machine if you want to test things. Like pwnable.kr you can work in the /tmp directory.

  • There are two main modes in vim: Insert mode (for editing text) and command mode.
  • When you first open vim by typing “vim file”, you begin in command mode.
  • When you are in command mode, hit i to enter insert mode. You may begin typing.
  • When you are in insert mode, you can hit Esc to go into command mode.
  • From command mode type :q to quit. If there are unsaved changes you wish to discard type :q!
  • From command mode type :x to exit with saving.
  • Many commands exist. Check out this article for examples.

gdb Tips

gdb will help you especially with Q3 and Q4. Here’s a useful guide on gdb commmands. Specific commands that will be helpful:

  • list n: print the program’s source code beginning at line n
  • disas func: print the assembly code of function func()
  • break n: set a breakpoint at line n
  • run: run the program in gdb (it will stop at any break points you set)
  • kill: halts a running program
  • p variable: prints the contents of a variable in its default form (e.g. int prints as a decimal integer)
  • p &variable: prints the address of variable
  • p *variable: grabs the next 4 bytes stored at the variable address. These 4 bytes are interpreted as a target address. The contents of the target address are printed.
  • p/f variable: prints (p/) the contents of a variable (variable) and prints them in the specified format (f). For example:
    • p/x variable: prints the contents of variable displayed in hexidecimal form
    • p/c variable: prints one byte at the address pointed to by variable and displays result in character form
    • p/c (char* [4])variable: prints 4 bytes beginning at the memory address pointed to by variable and displays it in character form.
    • p/x (char* [4])variable: same as above only displays it in hexidecimal form
  • x/nfu address: examines (i.w., “x/”) n (i.e., n) bytes a memory address (i.e., address) printing them in the specified format (i.e., f) and in the specified units (i.e., u) of bytes. For example:
    • x/20xb 0x08010203: prints 20 bytes (b) in hexidecimal (x) form beginning at address 0x08010203.
    • x/20xb &variable: prints 20 bytes (b) in hexidecimal (x) form beginning at the address of variable variable.
    • x/2xw 0x08010203: prints 2 words (w), i.e., 4-byte groups in in hexidecimal (x) form beginning at address 0x08010203.

VM Ground Rules

The purpose of the assignment is to simulate a real, remotely accessed computer system and questions are meant to be solved in this spirit. To that end, you will not receive credit for accessing the flags by attacking the virtual machine itself e.g., by recovering the flags from forensics on the .ova file.

Questions

There are 4 user accounts: q1, q2, q3, and q4. Log in to each account and capture the flag.

All flags have the form flag{...}

  1. Question 1
    • Challenge name: Hidden
    • Username: q1
    • Password: q1
    • Flag location: /home/q1/flag1
    • Instructions: Locate and run a program owned by user flag1 to capture the flag.
  2. Question 2
    • Challenge name: Hardcode
    • Username: q2
    • Password: q2
    • Flag location: /home/q2/flag2
    • Instructions: Run the hardcode program. Enter the correct password to capture the flag.
  3. Question 3
    • Challenge name: Password
    • Username: q3
    • Password: q3
    • Flag location: /home/q3/flag3
    • Instructions: Get the program to execute the system() command in the password program to capture the flag.
    • Hint: Use the knowledge you gained from the bof challenge in Assignment 2.
  4. Question 4
    • Challenge name: Username
    • Username: q4
    • Password: q4
    • Flag location: /home/q4/flag4
    • Instructions: Get the program to execute the system() command in the username program to capture the flag.
    • Hint: Use the knowledge you gained from the passcode lecture.