The description and source code can be found here:
http://exploit.education/phoenix/net-zero/
In this challenge, we’re given an integer (as a string) and are expected to convert that to the “native endian of the architecture the binary is running on.” For instance, if we’re given “4096”, the hex value of that is 0x1000. In little endian format, this equates to 0x0010. So that’s what we’d need to send back to the program (as bytes).
I’ll check this with netcat first:
user@phoenix-amd64:~$ nc 127.1 64000 Welcome to phoenix/net-zero, brought to you by https://exploit.education Please send '3952255007' as a little endian, 32bit integer. 1000 Close - you sent 808464433 instead
Fun fact, the IP address 127.0.0.1 can be truncated to 127.1!
I sent the ASCII representation of the number 1000 back to the program. In hex, this would look like 0x31303030. However, the program will be storing that in little endian format, so in memory it would look like 0x30303031. Converting that to an integer:
user@phoenix-amd64:~$ python3 -c 'print(int("0x30303031", 0))'
808464433
Now that I know what’s going on, I can write a Python script to parse out the string, convert it to bytes in little endian format, and send it back to the program. Save this Python script, make it executable, and execute it:
#!/usr/bin/env python3
import socket
import time
IP = "127.0.0.1"
PORT = 64000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
# Get the first 2 lines
print(s.recv(132).decode(), end='')
time.sleep(0.1)
msg = s.recv(132).decode()
print(msg)
# Save the number within the second line
number = int(msg.split("'")[1])
# Convert to hex
hexval = hex(number)[2:]
print("Hex value of the number is: 0x{}".format(hexval))
# Reverse the hex value to put it in little endian format
rev_hex = "".join(reversed([hexval[i:i+2] for i in range(0, len(hexval), 2)]))
# Send the data as bytes
print('Sending "{}"\n'.format("0x" + rev_hex))
byteval = bytes.fromhex(rev_hex)
s.send(byteval)
# Print the last message
print(s.recv(132).decode())