\||/
                                   |  @___oo
                         /\  /\   / (__,,,,|
                         ) /^\) ^\/ _)
                         )   /^\/   _)
                         )   _ /  / _)
                     /\  )/\/ ||  | )_)
                    <  >      |(,,) )__)
                     ||      /    \)___)\
                     | \____(      )___) )___
                      \______(_______;;; __;;;
                       ________  _______________  ________                   
  ____   ____  ____   /   __   \/  _____/\   _  \/   __   \                  
_/ __ \_/ ___\/ __ \  \____    /   __  \ /  /_\  \____    /                  
\  ___/\  \__\  ___/     /    /\  |__\  \\  \_/   \ /    /                   
 \___  >\___  >___  >   /____/  \_____  / \_____  //____/                    
     \/     \/    \/                  \/        \/                           
                     .__                                     __    ________  
_____    ______ _____|__| ____   ____   _____   ____   _____/  |_  \_____  \ 
\__  \  /  ___//  ___/  |/ ___\ /    \ /     \_/ __ \ /    \   __\   _(__  < 
 / __ \_\___ \ \___ \|  / /_/  >   |  \  Y Y  \  ___/|   |  \  |    /       \
(____  /____  >____  >__\___  /|___|  /__|_|  /\___  >___|  /__|   /______  /
     \/     \/     \/  /_____/      \/      \/     \/     \/              \/

Assignment 3

Overview

In this assignment you will complete a Capture-the-flag (CTF) style challenge. You will be presented with a Linux virtual machine and will be required to solve a set of programming puzzles inspired by the pwnable.kr challenges.

How the assignment is marked

In order to get full marks on this assignment it is not sufficient merely to capture the flag. Similarly it is not acceptable to copy/paste a solution found on the web. You can use existing solutions to help you build your understanding. But in order to get full marks, you will need to provide some evidence that you actually attempted to think and work through the problem. Give us a window into your thinking. Convince us you understand these ideas by telling us about your journey.

What to do

Some examples of how you can convince us you thought through the problem could include sharing details of:

  • Your thought process (e.g., “I noticed something unusual in the code, so I…”)
  • Things you didn’t know (e.g., “I had to look up how netcat works”)
  • Things you tried that didn’t work (e.g., “The documentation mentioned the ‘-x’ flag, but it kept giving an error, so I…”)
  • The lead up to the moment where things finally made sense (e.g., “…then I realized, no, it had to be … so I changed it and then it worked!”)

What NOT to do

  • Say “I couldn’t figure it out” and not write anything else
  • Submit the writeup of another person, whether another student, or someone online (duh)
  • Use text and images you didn’t write/create yourself (unless you properly quote and cite it)
  • Only give the flag and no other window into your thought process

Instructions

Answer the following questions in a PDF and submit it in OWL-> ECE9609-> Assignments-> Assignment 3

Requirements

  • A modern computer. The VM is based on Tinycore Linux, and the virtual machine image is only about 100Mb to download.

Directions for VirtualBox

These instructions apply to students using Intel/AMD64 architectures. Mac M1/M2 users skip this section and scroll down below.

Install VirtualBox

  • The VirtualBox virtual machine player. (Note: You can use any VM player that supports .ova VMs, however the instructions below are specific to VirtualBox and may differ slightly if you decide to use a different player such as VMWare).
  • It is recommended that you install the Virtual Box extension pack. This will allow you to interact with your host OS more easily, e.g. by logging in via SSH, and transferring files with scp as well as copy/paste functionality.
    • Note to Mac users: You must allow the Oracle extensions by going into System preferences -> Security & Privacy -> General and clicking Allow. A restart may be required. Later, when you try to start the virtual machine, it will also ask you to grant it Accessibility and Keyboard permissions in the System preferences -> Security & Privacy -> Privacy area.
  • Open VirtualBox. If it’s your first time, create a new host-only network. Click File -> Tools -> Network Manager -> Create. An adapter with a name like HostNetwork will now show in the list.

Load the Virtual Machine

  • Download the ECE 9609 Assignment 3 VM.ova virtual machine image in OWL -> ECE 9609 -> Resources
  • Import the virtual machine image into your virtual machine player:
    • File -> Import appliance -> ECE 9609 Assignment 3 VM.ova -> Continue -> Import
  • Start the VM:
    • ECE 9609 Assignment 3 -> Start
  • Login to an account and capture the flag.

The VM is currently configured to use a Host-only Network adapter, which provides network access between your host OS and the VM.

Directions for Mac M1/M2 Users

These instructions apply to students with a Mac M1/M2 (ARM) architecture (also known as “Apple Silicon”).

The tinycore Linux VM is an AMD64 architecture. It is not directly compatible with your device’s ARM instruction set. Fortunately, there’s a decent, free VM emulator for Mac called “UTM”. For the purposes of this assignment, it does the same thing as VirtualBox.

Install UTM

  • Download and install the free UTM app.
  • Do not download from the Mac App Store (it costs money—and the free version is the SAME!)

Load the Virtual Machine

  • Download the ECE 9609 Assignment 3 VM-for-Mac-M1.utm.zip virtual machine image in OWL -> ECE 9609 -> Resources
  • Unzip to produce the file ECE 9609 Assignment 3 VM-for-Mac-M1.utm
  • In UTM click “Create a New Virtual Machine” -> Existing -> Open
  • In the left column, double-click on the VM to run.

Accessing Your VM over SSH

We highly recommend interacting with VM over SSH instead of directly in the VM player’s window. Working with the VM directly is annoying. You cannot copy/paste, repeat commands, or scroll up to see previous output. A better method is to interact with the VM over SSH.

To do this you will need to know the IP address of the virtual machine on your Host OS. This can be done by logging into the VM once and typing ifconfig to find the ip address.

q1@box:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:BA:8C:11
          inet addr:192.168.56.102  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
...

This tells us the VM’s IP address is 192.168.56.102 (it possible that it might be different on your machine). Then in a command line in the host OS, we can log into an account (e.g.. q1) via ssh:

$  ssh q1@192.168.56.102

Note: The IP address of your VM may be different.

The first time you login it will ask you to accept the server’s SSH public key. You can also use the IP address to download/upload files using utilities like scp. This will allow you to write programs in your favorite code editor and then transfer them to the VM instead of having to work in vim all the time.

Tips

There are a few basic skills that you will need to know to complete the challenges:

  • How to compile and run a C program
  • How to use the gdb debugger
  • How to execute a Python program from the command line 
    $ python -c "<program>"
  • How to upload and download files using scp
  • How to view and interpret file permissions and ownership
  • How to use command-line text editor like vi or vim

Other tips:

  • You can create working files in the /tmp directory
  • The VM is non-persistent. Any changes (e.g., uploaded file, etc) are not saved by the OS after shutdown
  • You can scroll up and down in the terminal window using <SHIFT> + <Pg Up> and <SHIFT> + <Pg Dn>.

vim Tips

vim will help you edit files on the virtual machine if you want to test things. Like pwnable.kr you can work in the /tmp directory.

  • There are two main modes in vim: Insert mode (for editing text) and command mode.
  • When you first open vim by typing “vim file”, you begin in command mode.
  • When you are in command mode, hit i to enter insert mode. You may begin typing.
  • When you are in insert mode, you can hit Esc to go into command mode.
  • From command mode type :q to quit. If there are unsaved changes you wish to discard type :q!
  • From command mode type :x to exit with saving.
  • Many commands exist. Check out this article for examples.

gdb Tips

gdb will help you especially with Q3 and Q4. Here’s a useful guide on gdb commmands. Specific commands that will be helpful:

  • list n: print the program’s source code beginning at line n
  • disas func: print the assembly code of function func()
  • break n: set a breakpoint at line n
  • run: run the program in gdb (it will stop at any break points you set)
  • kill: halts a running program
  • p variable: prints the contents of a variable in its default form (e.g. int prints as a decimal integer)
  • p &variable: prints the address of variable
  • p *variable: grabs the next 4 bytes stored at the variable address. These 4 bytes are interpreted as a target address. The contents of the target address are printed.
  • p/f variable: prints (p/) the contents of a variable (variable) and prints them in the specified format (f). For example:
    • p/x variable: prints the contents of variable displayed in hexidecimal form
    • p/c variable: prints one byte at the address pointed to by variable and displays result in character form
    • p/c (char* [4])variable: prints 4 bytes beginning at the memory address pointed to by variable and displays it in character form.
    • p/x (char* [4])variable: same as above only displays it in hexidecimal form
  • x/nfu address: examines (i.w., “x/”) n (i.e., n) bytes a memory address (i.e., address) printing them in the specified format (i.e., f) and in the specified units (i.e., u) of bytes. For example:
    • x/20xb 0x08010203: prints 20 bytes (b) in hexidecimal (x) form beginning at address 0x08010203.
    • x/20xb &variable: prints 20 bytes (b) in hexidecimal (x) form beginning at the address of variable variable.
    • x/2xw 0x08010203: prints 2 words (w), i.e., 4-byte groups in in hexidecimal (x) form beginning at address 0x08010203.

VM Ground Rules

The purpose of the assignment is to simulate a real, remotely accessed computer system and questions are meant to be solved in this spirit. To that end, you will not receive credit for accessing the flags by attacking the virtual machine itself e.g., by recovering the flags from forensics on the .ova file.

Questions

There are 4 user accounts: q1, q2, q3, and q4. Log in to each account and capture the flag.

All flags have the form flag{...}

  1. Question 1
    • Challenge name: Hidden
    • Username: q1
    • Password: q1
    • Flag location: /home/q1/flag1
    • Instructions: Locate and run a program owned by user flag1 to capture the flag.
  2. Question 2
    • Challenge name: Hardcode
    • Username: q2
    • Password: q2
    • Flag location: /home/q2/flag2
    • Instructions: Run the hardcode program. Enter the correct password to capture the flag.
  3. Question 3
    • Challenge name: Password
    • Username: q3
    • Password: q3
    • Flag location: /home/q3/flag3
    • Instructions: Get the program to execute the system() command in the password program to capture the flag.
    • Hint: Use the knowledge you gained from the bof challenge in Assignment 2.
  4. Question 4
    • Challenge name: Username
    • Username: q4
    • Password: q4
    • Flag location: /home/q4/flag4
    • Instructions: Get the program to execute the system() command in the username program to capture the flag.
    • Hint: Use the knowledge you gained from the passcode lecture.