PicoCTF Binary Demo 2

What usually really helps is adding a bunch for debug prints to show the contents of variables. In this case, you probably don’t just want to print things as strings, but, for example, output some hex for all buffers.

As approach, I would just work back from your goal (i.e. the call to system). What do you want line3 to contain at that point? Ok, so if line3 is like that, how do you make the condition in the if evaluate to true? Etc.

B.t.w.: your pasted code isn’t quite right because [i**] is interpreted as markup. Makes the challenge a bit too easy… ;)

Already try to add bunch for debug string.
Assume I want line3 contain sh, yes I need to make line2 match with line3, in original source the line2 and line3 is change with XOR and 0x80.

Already try to comment loop code to change line2 and line3 content. But still don understand it.

Here is my debug so far.
http://codepad.org/U8471ZBf

I am happy if we can solve this challenge together as learning. may for noobs like me. :D :)

As I said before, just using printf like that is not really the best way. You’ll miss crucial information and probably mess up your terminal at some point.

You say you don’t understand “it”, but you don’t say what you don’t understand. Be more specific. I can easily tell you the whole solution, but it will be more useful if you try to do as much as possible on your own.

If something doesn’t work like you expect it to, add more debugging, read the manual (again) and try other things to figure out what is going on.

@dloser

Here is what I’ve done so far.

Comment the loop code (protection) in line2 variable and line3 variable in line 79 - 90.
Here is the result http://codepad.org/t9NGgBD5

Here is my payload
printf '\x00\nid\x004567890123456789id' | ./Demo2

I have some question

Why fgets(line1, 19, stdin); printf("line1 is : %s\n", line1); ready only 17 char, as I read before fgets should read 18 char? yes I know the last one is null terminated.

Why sh doesn’t work in my payload?

I don’t know why I should use printf in my payload instead run the the application and input the payload in terminal I just follow the tutorial.

I hope you can help me to understand what I’ve done so far.

Why do you think fgets only reads 17 chars? It really does read 18.

And ‘sh’ does work. Just think about where it gets it input from. (B.t.w.: you can easily verify this by using something like ‘strace -f -e execv ./Demo2’.)

I don’t know why I should use printf in my payload instead run the the application and input the payload in terminal I just follow the tutorial.

I don’t understand this sentence.

@dloser

Sorry, wrong counting. It read 18 char.

This bellow injection
printf '\x00\nsh\x004567890123456789sh' | ./Demo2
Just give me ‘step 1 success’ instead of shell interactive. Don’t know why.

Instead of writing the exploit in single inside the terminal like this
printf '\x00\nid\x004567890123456789id' | ./Demo2

Can I just run the application and write the injection inside the application? I mean. ./Demo2 then now the terminal ask me to input something, right? so now I am start input the injection \0x00\n..so on But this step is failed because the null byte injection doesn’t work, the null byte print the string \0x00. Why this thing happen?

I hope you can understand what I meant. Sorry for my bad english.

Just like you cannot type the input for Demo2 manually if you use the pipe, you cannot type the input for sh manually. The sh will “take over” the Demo2 program, so it will use the same input, which is the pipe. When there is nothing more to read from the pipe, sh will terminate.

You can’t just type a nul byte in your terminal. This is why you used the ‘printf’ command, as it turns the string ‘\x00’ into an actual nul byte.

orly!?

This reminds me… https://www.hackthis.co.uk/forum/off-topic/20270-djokes?page=11#post-61495