wk0 - intro

Theme: Static debugging, memory dump, reading symbols, addresses

Are you alive: server edition (5)

Solve: Input the line nc offsec-chalbroker.osiris.cyber.nyu.edu 1237 into the terminal. Enter the Net ID. The OSIRIS server at port 1237 responds with the flag.

Baby glibc (50)

Given

• libc.so.6

  • file that contains code from standard library

• baby_glibc

  • a program that uses functions from standard library glibc

  • memory addr for these functions are set as 0 because they are yet unknown

Solve

Strategy is as follows:

1. Parse the raw bytes sent from OSIRIS server to obtain glibc's printf function's absolute memory address

   1. Write a Python script using pwntools to decode the bytes

2. Find offset of printf function from libc.so.6's symbol table

3. Calculate base addr = printf's absolute addr - printf's offset

4. Find sleep function's offset from libc.so.6's symbol table

5. sleep function's absolute memory addr = base addr + sleep function's offset

Enter for the flag!

Vault 0 (50)

Goal

Find the memory address of the secret vault. No PIE. This means all memory addresses are absolute memory addresses, not offsets.

Solve

Run readelf -Ws vault0. Look for the entry for the secret vault, where name = secret_vault.

On line 38, we see:

38: 0000000000401236    21 FUNC    GLOBAL DEFAULT   15 secret_vault

This means the address for the secret vault is at 0x401236 Convert this to decimal, becoming: 4198966

Send that to the OSIRIS server. Flag captured!

Flag

flag{Th3_g00d_0ld_d4ys_0f_N0_PIE!_45c85d71aaa647f0}

Vault 1 (50)

Given

Can you still find the address of the secret vault? This time, PIE is activated. This means the value column shows offsets, not absolute memory addresses of things.
Do you remember all that info about PIE?
nc offsec-chalbroker.osiris.cyber.nyu.edu 1231
But I found this base address 0x5616cd0fc000 on a post-it note! (note: base addr changes every time)

Solve

Run readelf -Ws vault1 to see the symbol table of the file vault1 Look for the entry for the secret vault:

38: 0000000000001249    26 FUNC    GLOBAL DEFAULT   16 secret_vault

0x1249 shows the offset of secret_vault.

Then, the secret_vault's absolute memory address can be calculated as follows:

secret_vault's offset + base addr = 0x1249 + 0x5616cd0fc000 = 0x5616cd0fd249

Vault 2 (50)

Given

• nc offsec-chalbroker.osiris.cyber.nyu.edu 1232

Goal

• Find address of secret_vault

Solve

The provided fake vault address 0x5648602f4029 is the absolute address of fake vault. Subtract from it the fake vault's offset (see symbol table of vault2 for fake vault's entry: 0x4029) to obtain the base address:

• base address = 0x5648602f4029 - 0x4029 = 0x5648602f0000 The absolute address of secret vault is:

• base address + secret_vault's offset = 0x5648602f0000 + 0x1269 = 0x5648602f1269

Submit 0x5648602f1269 to obtain the flag.