{"id":503,"date":"2019-07-11T14:24:52","date_gmt":"2019-07-11T18:24:52","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=503"},"modified":"2019-08-16T13:17:20","modified_gmt":"2019-08-16T17:17:20","slug":"exploit-education-phoenix-net-zero-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-net-zero-solution\/","title":{"rendered":"Exploit Education | Phoenix | Net Zero Solution"},"content":{"rendered":"<p>The description and source code can be found here:<br \/>\n<a href=\"http:\/\/exploit.education\/phoenix\/net-zero\/\">http:\/\/exploit.education\/phoenix\/net-zero\/<\/a><\/p>\n<p>In this challenge, we&#8217;re given an integer (as a string) and are expected to convert that to the &#8220;native endian of the architecture the binary is running on.&#8221; For instance, if we&#8217;re given &#8220;4096&#8221;, the hex value of that is 0x1000. In little endian format, this equates to 0x0010. So that&#8217;s what we&#8217;d need to send back to the program (as bytes).<\/p>\n<p>I&#8217;ll check this with netcat first:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">user@phoenix-amd64:~$ nc 127.1 64000\r\nWelcome to phoenix\/net-zero, brought to you by https:\/\/exploit.education\r\nPlease send '3952255007' as a little endian, 32bit integer.\r\n1000\r\nClose - you sent 808464433 instead<\/pre>\n<p>Fun fact, the IP address 127.0.0.1 can be truncated to 127.1!<\/p>\n<p>I sent the ASCII representation of the number 1000 back to the program. In hex, this would look like 0x31303030. However, the program will be storing that in little endian format, so in memory it would look like 0x30303031. Converting that to an integer:<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">user@phoenix-amd64:~$ python3 -c 'print(int(&quot;0x30303031&quot;, 0))'\r\n808464433<\/pre>\n<p>Now that I know what&#8217;s going on, I can write a Python script to parse out the string, convert it to bytes in little endian format, and send it back to the program. Save this Python script, make it executable, and execute it:<\/p>\n<pre class=\"brush: python; light: false; title: net-zero.py; notranslate\" title=\"net-zero.py\">#!\/usr\/bin\/env python3\r\n\r\nimport socket\r\nimport time\r\n\r\nIP = &quot;127.0.0.1&quot;\r\nPORT = 64000\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((IP, PORT))\r\n\r\n# Get the first 2 lines\r\nprint(s.recv(132).decode(), end='')\r\ntime.sleep(0.1)\r\nmsg = s.recv(132).decode()\r\nprint(msg)\r\n\r\n# Save the number within the second line\r\nnumber = int(msg.split(&quot;'&quot;)&#x5B;1])\r\n\r\n# Convert to hex\r\nhexval = hex(number)&#x5B;2:]\r\nprint(&quot;Hex value of the number is: 0x{}&quot;.format(hexval))\r\n\r\n# Reverse the hex value to put it in little endian format\r\nrev_hex = &quot;&quot;.join(reversed(&#x5B;hexval&#x5B;i:i+2] for i in range(0, len(hexval), 2)]))\r\n\r\n# Send the data as bytes\r\nprint('Sending &quot;{}&quot;\\n'.format(&quot;0x&quot; + rev_hex))\r\nbyteval = bytes.fromhex(rev_hex)\r\ns.send(byteval)\r\n\r\n# Print the last message\r\nprint(s.recv(132).decode())<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Can you convert string provided to the native endian of the architecture the binary is running on? &hellip; <a href=\"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-net-zero-solution\/\" class=\"more-link\"><span class=\"readmore\">Continue reading<span class=\"screen-reader-text\">Exploit Education | Phoenix | Net Zero Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-503","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=503"}],"version-history":[{"count":11,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/503\/revisions"}],"predecessor-version":[{"id":682,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/503\/revisions\/682"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}