OverTheWire – Vortex – Level 0 – Writeup

Earlier today I decided to take a break from my work on the IO challenges, currently up to level 10 where I thought I had progress but no cigar, at this point is when I learnt about the overthewire.org wargamming group. I was planning on having a crack at the other categories from SmashTheStack but then decided since I had just learnt of OverTheWire why not try it out.

So now on the actual challenge, I decided I would begin with the Vortex category of OverTheWire, the first level begin level 0. The challenge for the level is given below.

Level Goal:
Your goal is to connect to port 5842 on vortex.labs.overthewire.org and read in 4 unsigned integers in host byte order. Add these integers together and send back the results to get a username and password for vortex1. This information can be used to log in using SSH.
Note: vortex is on an 32bit x86 machine (meaning, a little endian architecture)

This is a basic challenge:

  • Connect to the game server.
  • The game server sends 4 bytes.
  • I have to change the order of the 4 bytes and replay them back to the server.

As I had just participated in the CSAW CTF 2013 Quals event in which one of the exploitation challenges was something similar to this where a couple of bytes were send at the start, so I decided to use the writeups for the challenge as a reference point for my answer for this challenge.


#!/usr/bin/python

import socket
import struct

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("vortex.labs.overthewire.org" , 5842))

b = 0;

for i in range(4):
data = s.recv(4)
b += struct.unpack("<I", data)[0]

s.send(struct.pack("<I",(b & 0xFFFFFFFF)))

print s.recv(1024)
s.close ()

Using Python I was able to make the following code which connects to a hardcore server address and port number, receives the 4 bytes when connected, changes the order of the bytes based on little endian takes the sum of the bytes and sends them to the target server and waits for the response.


Answer:
Username: vortex1 Password: *********

Advertisements

2 comments

  1. Hi,

    Can you please explain “(b & 0xFFFFFFFF)”. Why did you and ‘b’ with ‘0xFFFFFFFF’? I know 0xFFFFFFFF represents -1.

  2. You might be interested in the documentation for the python function unpack() and pack() http://docs.python.org/2/library/struct.html

    data = s.recv(4)
    b += struct.unpack(“<I", data)[0]

    I used "b" because I use s.recv(4) to put the 4 bytes I receive for the remote binary and put it into the variable "data", next I use the unpack() to unpack the string of data based on the format of "<I" and the [0] is so it is an array now.

    s.send(struct.pack("<I",(b & 0xFFFFFFFF)))

    next the above line just sends the contents of b back. And 0xFFFFFFFF isn't actually needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s