HackTheBox-Challenges WIDE Writeup

Exploitation

這題用 ida 開起來後就會看到 usage 是要帶上他附給我們的 db 當作參數傳進去 ELF，接著如下：

└─$ ./wide db.ex
[*] Welcome user: kr4eq4L2$12xb, to the Widely Inflated Dimension Editor [*]
[*]    Serving your pocket dimension storage needs since 14,012.5 B      [*]
[*]                       Displaying Dimensions....                      [*]
[*]       Name       |              Code                |   Encrypted    [*]
[X] Primus           | people breathe variety practice  |                [*]
[X] Cheagaz          | scene control river importance   |                [*]
[X] Byenoovia        | fighting cast it parallel        |                [*]
[X] Cloteprea        | facing motor unusual heavy       |                [*]
[X] Maraqa           | stomach motion sale valuable     |                [*]
[X] Aidor            | feathers stream sides gate       |                [*]
[X] Flaggle Alpha    | admin secret power hidden        |       *        [*]
Which dimension would you like to examine? 1
The Ice Dimension
Which dimension would you like to examine? 2
The Berserk Dimension
Which dimension would you like to examine? 3
The Hungry Dimension
Which dimension would you like to examine? 4
The Water Dimension
Which dimension would you like to examine? 5
The Bone Dimension
Which dimension would you like to examine? 6
[X] That entry is encrypted - please enter your WIDE decryption key: sup3rs3cr3tw1d3
HTB{som3_str1ng5_4r3_w1d3}
Which dimension would you like to examine? Our home dimension
Which dimension would you like to examine?

他會問我們要檢查哪個 dimension，然後就會發現 6 是需要密碼的，我們可以開 ida 後在 menu() 裡面看到我們要比對的密碼，看到 rodata 的地方可以看到密碼：

rodata:00000000000010D0 ; const char aXThatEntryIsEn[]
.rodata:00000000000010D0 aXThatEntryIsEn db '[X] That entry is encrypted - please enter your WIDE decryption k'
.rodata:00000000000010D0                                         ; DATA XREF: menu+2B9↑o
.rodata:0000000000001111                 db 'ey: ',0
.rodata:0000000000001116                 align 8
.rodata:0000000000001118 ; const wchar_t s2
.rodata:0000000000001118 s2              db 's',0                ; DATA XREF: menu+30A↑o
.rodata:000000000000111A                 align 4
.rodata:000000000000111C aU              db 'u',0
.rodata:000000000000111E                 align 20h
.rodata:0000000000001120 aP              db 'p',0
.rodata:0000000000001122                 align 4
.rodata:0000000000001124 a3              db '3',0
.rodata:0000000000001126                 align 8
.rodata:0000000000001128 aR              db 'r',0
.rodata:000000000000112A                 align 4
.rodata:000000000000112C aS              db 's',0
.rodata:000000000000112E                 align 10h
.rodata:0000000000001130 a3_0            db '3',0
.rodata:0000000000001132                 align 4
.rodata:0000000000001134 aC              db 'c',0
.rodata:0000000000001136                 align 8
.rodata:0000000000001138 aR_0            db 'r',0
.rodata:000000000000113A                 align 4
.rodata:000000000000113C a3_1            db '3',0
.rodata:000000000000113E                 align 20h
.rodata:0000000000001140 aT              db 't',0
.rodata:0000000000001142                 align 4
.rodata:0000000000001144 aW              db 'w',0
.rodata:0000000000001146                 align 8
.rodata:0000000000001148 a1              db '1',0
.rodata:000000000000114A                 align 4
.rodata:000000000000114C aD              db 'd',0
.rodata:000000000000114E                 align 10h
.rodata:0000000000001150 a3_2            db '3',0
.rodata:0000000000001152                 align 8

但這邊我們順便練習一下用 pwntools 讀密碼的方式：

from pwn import *

file = ELF("wide", checksec=False)
start_addr = 0x1118
end_addr = 0x1154

flag = b""
for i in range(start_addr, end_addr, 4):
    flag += file.read(i, 1)

print(flag.decode("ascii"))

結果：

└─$ python read_pw.py
sup3rs3cr3tw1d3