0x000 open environment
ssh connection,
Find the source file,
0x001 source code analysis
Source file col.c,
Knowledge points:
1 byte char, int 4 bytes, where the user input char data type, will be input into the program is run after the int type;
① First View 25 performs row / bin / cat flag command required, is hashcode == check_password 24 rows (argv [1]), and 20 can be seen by the second user input is a char type, and the length 20 bytes, hashcode of 0x21DD09EC, i.e. decimal 568,134,124;
②check_password (argv [1]), see lines 4-11 performance function, a char data type conversion input by the user is an int, then the first address to the user input pointer IP, then the pointer traversing a user input, which is adding one by one, and finally returns the result res, if the result is equal to res hashCode returns, the program will output flag.
0x02 program run
The user input is 20 bytes char (one byte) data type, convert it to run after int (. 4 bytes) type, the structure 5 to the int type data, so that the sum is 568 134 124 and then converts this data into char-5, is exactly 20 bytes, five random data structure, as long as the addition can be 568,134,124, taking into account the unnecessary trouble overflow, or whether the average value , 4 113626825,1 a 113 626 824, into a char type is \ xc9 \ xce \ xc5 \ x06 and \ xc8 \ xce \ xc5 \ x06, the following is the program code
-c: cmd execution of the current command, the backward apostrophe "·", enclosed in the implementation of the current shell command.
flag is
daddy! I just managed to create a hash collision :)
Attached: python script
from pwn import * import os pwn_ssh = ssh(host='pwnable.kr',port = 2222,user = 'col',password = 'guest') print (pwn_ssh.connected()) sh = pwn_ssh.process(argv = ['collision','\xc9\xce\xc5\x06'*4+'\xc8\xce\xc5\x06'],executable = './col') print(sh.recvall())