Exploit Education | Phoenix | Net Zero Solution

The description and source code can be found here:
http://exploit.education/phoenix/net-zero/

In this challenge, we’re given an integer (as a string) and are expected to convert that to the “native endian of the architecture the binary is running on.” For instance, if we’re given “4096”, the hex value of that is 0x1000. In little endian format, this equates to 0x0010. So that’s what we’d need to send back to the program (as bytes).

I’ll check this with netcat first:

user@phoenix-amd64:~$ nc 127.1 64000
Welcome to phoenix/net-zero, brought to you by https://exploit.education
Please send '3952255007' as a little endian, 32bit integer.
1000
Close - you sent 808464433 instead

Fun fact, the IP address 127.0.0.1 can be truncated to 127.1!

I sent the ASCII representation of the number 1000 back to the program. In hex, this would look like 0x31303030. However, the program will be storing that in little endian format, so in memory it would look like 0x30303031. Converting that to an integer:

user@phoenix-amd64:~$ python3 -c 'print(int("0x30303031", 0))'
808464433

Now that I know what’s going on, I can write a Python script to parse out the string, convert it to bytes in little endian format, and send it back to the program. Save this Python script, make it executable, and execute it:

#!/usr/bin/env python3

import socket
import time

IP = "127.0.0.1"
PORT = 64000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))

# Get the first 2 lines
print(s.recv(132).decode(), end='')
time.sleep(0.1)
msg = s.recv(132).decode()
print(msg)

# Save the number within the second line
number = int(msg.split("'")[1])

# Convert to hex
hexval = hex(number)[2:]
print("Hex value of the number is: 0x{}".format(hexval))

# Reverse the hex value to put it in little endian format
rev_hex = "".join(reversed([hexval[i:i+2] for i in range(0, len(hexval), 2)]))

# Send the data as bytes
print('Sending "{}"\n'.format("0x" + rev_hex))
byteval = bytes.fromhex(rev_hex)
s.send(byteval)

# Print the last message
print(s.recv(132).decode())

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.