Points: 150
Category: PWN

Description

You are still trying to get code execution on your own? Hahaha.

There is an app for that!

We are now introducing Remote Code Execution as a Service (RCEaaS).

Pro tips:

  • +[--->++<]>.++++[->++++<]>+.++++++++++.----------.+++++++++++.[---->+<]>+++.-[--->++<]>--.++++++++++++..----.[-->+<]>++.-----------..[--->+<]>+++.[--->+<]>.--------.[->+++++<]>--.+[--->+<]>++++.++++++.[--->+<]>-----.---[->++<]>.++[--->++<]>+.>++++++++++.
  • Flag is at A:\FLAG.TXT
  • No keyboard input in the Freemium version :/
nc 130.211.155.146 20666download

tl;dr

The server reads the input, compiles it as a brainfuck program (we are provided with the source code of the compiler used), spawns new DOS machine and executes the program on it. The flag is on the same spawned machine our program is running on. The solution is to inject DOS shellcode into executed code.

Solution

I started with inspecting the memory content around the initial BC register searching for the code of provided program. After comparing the outputs of commands:

I’ve confirmed where the code is stored. As the code can contain jumps (‘[]’) it is easy to inject shellcode by moving tho the code over some jump and overwriting the jump address. The remaining part was to construct the shellcode which would read a flag under DOS. After some googling I found:

And constructed shellcode:

The working solution code in python connecting and read sending encoded shellcode:

 

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Share This